Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat@9.0.39
purl pkg:maven/org.apache.tomcat/tomcat@9.0.39
Next non-vulnerable version 9.0.83
Latest non-vulnerable version 11.0.10
Risk 10.0
Vulnerabilities affecting this package (11)
Vulnerability Summary Fixed by
VCID-2n65-91en-cqa8
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
9.0.83
Affected by 0 other vulnerabilities.
10.1.16
Affected by 0 other vulnerabilities.
11.0.0-M11
Affected by 3 other vulnerabilities.
11.0.1
Affected by 3 other vulnerabilities.
VCID-52jg-1p2w-uqc9
Aliases:
CVE-2021-30640
GHSA-36qh-35cm-5w2w
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
9.0.45
Affected by 9 other vulnerabilities.
9.0.46
Affected by 9 other vulnerabilities.
10.0.5
Affected by 6 other vulnerabilities.
10.0.6
Affected by 6 other vulnerabilities.
VCID-53ea-3wyh-xfg7
Aliases:
CVE-2020-17527
GHSA-vvw4-rfwf-p6hx
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
9.0.40
Affected by 11 other vulnerabilities.
10.0.0-M10
Affected by 1 other vulnerability.
10.0.2
Affected by 7 other vulnerabilities.
VCID-7m6d-m7rr-fbgj
Aliases:
CVE-2021-41079
GHSA-59g9-7gfx-c72p
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
9.0.44
Affected by 10 other vulnerabilities.
10.0.4
Affected by 7 other vulnerabilities.
VCID-7nj6-9exh-5qgr
Aliases:
CVE-2022-42252
GHSA-p22x-g9px-3945
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
9.0.68
Affected by 3 other vulnerabilities.
10.0.27
Affected by 1 other vulnerability.
10.1.1
Affected by 3 other vulnerabilities.
VCID-ekhp-s7kg-ebdy
Aliases:
CVE-2024-21733
GHSA-f4qf-m5gf-8jm8
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
9.0.44
Affected by 10 other vulnerabilities.
VCID-ghc6-gmwn-wyg2
Aliases:
CVE-2022-29885
GHSA-r84p-88g2-2vx2
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
9.0.63
Affected by 5 other vulnerabilities.
10.0.21
Affected by 3 other vulnerabilities.
10.1.0-M15
Affected by 1 other vulnerability.
10.1.1
Affected by 3 other vulnerabilities.
VCID-jubv-tebw-3fgb
Aliases:
CVE-2022-34305
GHSA-6j88-6whg-x687
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
9.0.65
Affected by 4 other vulnerabilities.
10.0.22
Affected by 3 other vulnerabilities.
10.0.23
Affected by 2 other vulnerabilities.
10.1.0-M17
Affected by 1 other vulnerability.
VCID-mx9m-1qg7-67gh
Aliases:
CVE-2021-43980
GHSA-jx7c-7mj5-9438
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
9.0.62
Affected by 6 other vulnerabilities.
10.0.20
Affected by 4 other vulnerabilities.
10.1.0-M14
Affected by 2 other vulnerabilities.
10.1.1
Affected by 3 other vulnerabilities.
VCID-r5jp-6b4w-rffw
Aliases:
CVE-2023-41080
GHSA-q3mw-pvr8-9ggc
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
9.0.80
Affected by 5 other vulnerabilities.
10.1.13
Affected by 4 other vulnerabilities.
11.0.0-M11
Affected by 3 other vulnerabilities.
11.0.1
Affected by 3 other vulnerabilities.
VCID-s87f-pf8e-yqcz
Aliases:
CVE-2021-24122
GHSA-2rvv-w9r2-rg7m
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
9.0.40
Affected by 11 other vulnerabilities.
10.0.0-M10
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T11:31:22.929186+00:00 GitLab Importer Affected by VCID-ekhp-s7kg-ebdy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2024-21733.yml 37.0.0
2025-08-01T11:26:44.309093+00:00 GitLab Importer Affected by VCID-2n65-91en-cqa8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml 37.0.0
2025-08-01T11:18:24.868585+00:00 GitLab Importer Affected by VCID-r5jp-6b4w-rffw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-41080.yml 37.0.0
2025-08-01T10:52:43.319441+00:00 GitLab Importer Affected by VCID-7nj6-9exh-5qgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-42252.yml 37.0.0
2025-08-01T10:48:54.132467+00:00 GitLab Importer Affected by VCID-mx9m-1qg7-67gh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2021-43980.yml 37.0.0
2025-08-01T10:41:08.035759+00:00 GitLab Importer Affected by VCID-jubv-tebw-3fgb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-34305.yml 37.0.0
2025-08-01T10:22:33.432520+00:00 GitLab Importer Affected by VCID-ghc6-gmwn-wyg2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-29885.yml 37.0.0
2025-08-01T10:03:16.310510+00:00 GitLab Importer Affected by VCID-7m6d-m7rr-fbgj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2021-41079.yml 37.0.0
2025-08-01T09:59:12.374394+00:00 GitLab Importer Affected by VCID-52jg-1p2w-uqc9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2021-30640.yml 37.0.0
2025-08-01T09:47:03.608191+00:00 GitLab Importer Affected by VCID-s87f-pf8e-yqcz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2021-24122.yml 37.0.0
2025-08-01T09:45:51.066688+00:00 GitLab Importer Affected by VCID-53ea-3wyh-xfg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2020-17527.yml 37.0.0
2025-07-31T08:03:19.666050+00:00 Apache Tomcat Importer Affected by VCID-53ea-3wyh-xfg7 https://tomcat.apache.org/security-9.html 37.0.0
2025-07-31T08:03:19.639163+00:00 Apache Tomcat Importer Affected by VCID-s87f-pf8e-yqcz https://tomcat.apache.org/security-9.html 37.0.0