Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat@8.5.56 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-36kb-dupk-rkaf
Aliases: CVE-2020-13934 GHSA-vf77-8h7g-gghp |
denial of service |
Affected by 15 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-5kwe-kbzx-5qfa
Aliases: CVE-2020-13935 GHSA-m7jv-hq7h-mq7c |
denial of service |
Affected by 15 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-6su4-th7q-gybv
Aliases: CVE-2022-25762 GHSA-h3ch-5pp2-vh6w |
Improper socket reuse in Apache Tomcat If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. |
Affected by 9 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-7kak-h2zt-ukgn
Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76 |
Apache Tomcat Improper Input Validation vulnerability Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11Â onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-88hy-dsrh-8kbe
Aliases: CVE-2024-21733 GHSA-f4qf-m5gf-8jm8 |
Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. |
Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-9snt-d7yb-83b7
Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc |
Apache Tomcat Open Redirect vulnerability URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application. |
Affected by 7 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-9y7r-pxr5-x3e8
Aliases: CVE-2021-30640 GHSA-36qh-35cm-5w2w |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-eeug-hann-73d4
Aliases: CVE-2021-41079 GHSA-59g9-7gfx-c72p |
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. |
Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-f59g-qvus-aufz
Aliases: CVE-2020-17527 GHSA-vvw4-rfwf-p6hx |
information disclosure |
Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-fmff-4pym-u7fs
Aliases: CVE-2021-43980 GHSA-jx7c-7mj5-9438 |
Apache Tomcat Race Condition vulnerability The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-hgwz-6w1y-wugc
Aliases: CVE-2021-24122 GHSA-2rvv-w9r2-rg7m |
information disclosure |
Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-jvrv-8jzr-afew
Aliases: CVE-2022-34305 GHSA-6j88-6whg-x687 |
Cross-site Scripting in Apache Tomcat In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-pqer-9uf5-67br
Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5 |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. |
Affected by 27 other vulnerabilities. |
|
VCID-qbt4-8bfu-yqaj
Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2 |
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-vtsj-tj34-83es
Aliases: CVE-2013-4286 GHSA-j448-j653-r3vj |
There are no reported fixed by versions. | |
|
VCID-zkyd-zu9g-mken
Aliases: CVE-2022-42252 GHSA-p22x-g9px-3945 |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-36kb-dupk-rkaf | denial of service |
CVE-2020-13934
GHSA-vf77-8h7g-gghp |
| VCID-5kwe-kbzx-5qfa | denial of service |
CVE-2020-13935
GHSA-m7jv-hq7h-mq7c |
| VCID-urey-u4ew-eke6 | denial of service |
CVE-2020-11996
GHSA-53hp-jpwq-2jgq |