Search for packages
| purl | pkg:apache/tomcat@11.0.0-M10 |
| Next non-vulnerable version | 11.0.0-M17 |
| Latest non-vulnerable version | 11.0.8 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6y3x-kyj7-aaaf
Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013 |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
Affected by 3 other vulnerabilities. |
|
VCID-7sta-sz5f-aaap
Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm |
Apache Tomcat vulnerable to Unprotected Transport of Credentials |
Affected by 3 other vulnerabilities. |
|
VCID-ah95-hj74-aaaq
Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5 |
Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | There are no reported fixed by versions. |
|
VCID-e318-2aad-aaag
Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application. |
Affected by 6 other vulnerabilities. |
|
VCID-f68z-z5n7-aaae
Aliases: CVE-2023-42795 GHSA-g8pj-r55q-5c2v |
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-ma76-864y-aaaf
Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h |
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information. | There are no reported fixed by versions. |
|
VCID-pcvp-wv2z-aaas
Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76 |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. |
Affected by 6 other vulnerabilities. |
|
VCID-r78u-gre6-aaaj
Aliases: CVE-2023-45648 GHSA-r6j3-px5g-cq3x |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-03-28T13:19:13.085977+00:00 | Apache Tomcat Importer | Affected by | VCID-pcvp-wv2z-aaas | https://tomcat.apache.org/security-11.html | 36.0.0 |
| 2025-03-28T13:19:13.028217+00:00 | Apache Tomcat Importer | Affected by | VCID-e318-2aad-aaag | https://tomcat.apache.org/security-11.html | 36.0.0 |
| 2024-09-18T08:17:24.448504+00:00 | Apache Tomcat Importer | Affected by | VCID-pcvp-wv2z-aaas | https://tomcat.apache.org/security-11.html | 34.0.1 |
| 2024-09-18T08:17:24.395057+00:00 | Apache Tomcat Importer | Affected by | VCID-e318-2aad-aaag | https://tomcat.apache.org/security-11.html | 34.0.1 |
| 2024-01-04T02:15:29.614042+00:00 | Apache Tomcat Importer | Affected by | VCID-pcvp-wv2z-aaas | https://tomcat.apache.org/security-11.html | 34.0.0rc1 |
| 2024-01-04T02:15:29.566706+00:00 | Apache Tomcat Importer | Affected by | VCID-e318-2aad-aaag | https://tomcat.apache.org/security-11.html | 34.0.0rc1 |