VulnerableCode Package Details - pkg:apache/tomcat@9.0.0%2BM9

Search for packages

Package details: pkg:apache/tomcat@9.0.0%2BM9

Essentials
History (18)

purl	pkg:apache/tomcat@9.0.0%2BM9

Next non-vulnerable version	9.0.86
Latest non-vulnerable version	11.0.8
Risk	4.5

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-3kmg-uhrj-aaaq Aliases: CVE-2016-6797 GHSA-q6x7-f33r-3wxx	The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.	There are no reported fixed by versions.
VCID-3spb-m822-aaab Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g	System Property Disclosure in Apache Tomcat	There are no reported fixed by versions.
VCID-bwx4-6bsd-aaaf Aliases: CVE-2016-0762 GHSA-wxcp-f2c8-x6xv	Information Exposure Through Timing Discrepancy The Realm implementations in Apache Tomcat does not process the supplied password if the supplied user name did not exist which makes it possible to use a timing attack to determine valid user names.	There are no reported fixed by versions.
VCID-h3d2-7evg-aaac Aliases: CVE-2018-8037 GHSA-6v52-mj5r-7j2m	Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core	9.0.10 Affected by 32 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-msaf-115m-aaaq Aliases: CVE-2016-6796 GHSA-3mjp-p938-4329	A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.	There are no reported fixed by versions.
VCID-szah-tgau-aaad Aliases: CVE-2016-5018 GHSA-4v3g-g84w-hv7r	Improper Access Control In Apache Tomcat, a malicious web application was able to bypass a configured `SecurityManager` via a Tomcat utility method that was accessible to web applications.	There are no reported fixed by versions.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:20.507188+00:00	Apache Tomcat Importer	Affected by	VCID-bwx4-6bsd-aaaf	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.450236+00:00	Apache Tomcat Importer	Affected by	VCID-szah-tgau-aaad	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.389990+00:00	Apache Tomcat Importer	Affected by	VCID-3spb-m822-aaab	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.328707+00:00	Apache Tomcat Importer	Affected by	VCID-msaf-115m-aaaq	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.264345+00:00	Apache Tomcat Importer	Affected by	VCID-3kmg-uhrj-aaaq	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:19.082687+00:00	Apache Tomcat Importer	Affected by	VCID-h3d2-7evg-aaac	https://tomcat.apache.org/security-9.html	36.0.0
2024-09-18T08:17:31.198457+00:00	Apache Tomcat Importer	Affected by	VCID-bwx4-6bsd-aaaf	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:31.145924+00:00	Apache Tomcat Importer	Affected by	VCID-szah-tgau-aaad	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:31.094699+00:00	Apache Tomcat Importer	Affected by	VCID-3spb-m822-aaab	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:31.037748+00:00	Apache Tomcat Importer	Affected by	VCID-msaf-115m-aaaq	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:30.979904+00:00	Apache Tomcat Importer	Affected by	VCID-3kmg-uhrj-aaaq	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:29.886162+00:00	Apache Tomcat Importer	Affected by	VCID-h3d2-7evg-aaac	https://tomcat.apache.org/security-9.html	34.0.1
2024-01-04T02:15:35.278599+00:00	Apache Tomcat Importer	Affected by	VCID-bwx4-6bsd-aaaf	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:35.229542+00:00	Apache Tomcat Importer	Affected by	VCID-szah-tgau-aaad	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:35.177771+00:00	Apache Tomcat Importer	Affected by	VCID-3spb-m822-aaab	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:35.127071+00:00	Apache Tomcat Importer	Affected by	VCID-msaf-115m-aaaq	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:35.076057+00:00	Apache Tomcat Importer	Affected by	VCID-3kmg-uhrj-aaaq	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:34.089022+00:00	Apache Tomcat Importer	Affected by	VCID-h3d2-7evg-aaac	https://tomcat.apache.org/security-9.html	34.0.0rc1