Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat-catalina@8.0.39 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-11gb-2qp7-aaaj
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
Exposure of Resource to Wrong Sphere Some calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
Affected by 4 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-jtsq-4sgf-aaag
Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949 |
Insufficient Verification of Data Authenticity The CORS Filter in Apache Tomcat does not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. |
Affected by 3 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nm9b-h95h-aaaa
Aliases: CVE-2020-9484 GHSA-344f-f5vg-2jfj |
Potential remote code execution in Apache Tomcat |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-nswt-2j13-aaak
Aliases: CVE-2016-5388 GHSA-v646-rx6w-r3qq |
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-p378-4jg4-aaam
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
Information Exposure A bug in the error handling of the NIO HTTP connector in Apache Tomcat resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage. |
Affected by 5 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-s7md-7wyb-d3dp
Aliases: CVE-2024-52316 GHSA-xcpr-7mr4-h4xq |
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-sc5t-244h-aaas | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. |
CVE-2016-8735
GHSA-cw54-59pw-4g8c |