Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.73 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-11gb-2qp7-aaaj
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
Exposure of Resource to Wrong Sphere Some calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
Affected by 6 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-4qt5-mdpt-aaas
Aliases: CVE-2017-12615 GHSA-pjfr-qf3p-3q25 |
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-jtsq-4sgf-aaag
Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949 |
Insufficient Verification of Data Authenticity The CORS Filter in Apache Tomcat does not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. |
Affected by 5 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-m8ve-za8b-aaap
Aliases: CVE-2017-12616 GHSA-8qq4-8jvq-mfw4 |
Information Exposure When using a `VirtualDirContext` with Apache Tomcat it is possible to bypass security constraints and/or view the source code of JSPs for resources served by the `VirtualDirContext` using a specially crafted request. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nm9b-h95h-aaaa
Aliases: CVE-2020-9484 GHSA-344f-f5vg-2jfj |
Potential remote code execution in Apache Tomcat |
Affected by 2 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-p378-4jg4-aaam
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
Information Exposure A bug in the error handling of the NIO HTTP connector in Apache Tomcat resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage. |
Affected by 7 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-s7md-7wyb-d3dp
Aliases: CVE-2024-52316 GHSA-xcpr-7mr4-h4xq |
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-w4d3-t13k-aaab
Aliases: CVE-2021-24122 GHSA-2rvv-w9r2-rg7m |
Information Disclosure in Apache Tomcat |
Affected by 1 other vulnerability. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-sc5t-244h-aaas | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. |
CVE-2016-8735
GHSA-cw54-59pw-4g8c |