VulnerableCode Package Details - pkg:deb/ubuntu/tomcat8@8.5.21-1ubuntu1

Vulnerabilities affecting this package (13)

Vulnerability	Summary	Fixed by
VCID-2nrx-8urf-aaaf Aliases: CVE-2019-0221 GHSA-jjpq-gp5q-8q6w	Cross-site scripting in Apache Tomcat	8.5.39-1ubuntu1~18.04.3 Affected by 0 other vulnerabilities.
VCID-7c2n-n9ga-aaar Aliases: CVE-2018-8034 GHSA-46j3-r4pj-4835	The host name verification missing in Apache Tomcat	8.5.39-1ubuntu1~18.04.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-7qs4-bekd-aaab Aliases: CVE-2018-11784 GHSA-5q99-f34m-67gc	Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core	8.5.39-1ubuntu1~18.04.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-983g-2nuz-aaaa Aliases: CVE-2019-10072 GHSA-q4hg-rmq2-52q9	Improper Locking in Apache Tomcat	8.5.39-1ubuntu1~18.04.3 Affected by 0 other vulnerabilities.
VCID-9pu2-we8w-aaar Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5	Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core	8.5.30-1ubuntu1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	8.5.30-1ubuntu1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-b2z1-15m4-aaac Aliases: CVE-2018-1336 GHSA-m59c-jpc8-m2x4	In Apache Tomcat there is an improper handing of overflow in the UTF-8 decoder	8.5.39-1ubuntu1~18.04.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cp4z-y57s-aaah Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp	The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins	8.5.30-1ubuntu1.2 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-d82s-fpes-aaar Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r	Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core	8.5.30-1ubuntu1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-h3d2-7evg-aaac Aliases: CVE-2018-8037 GHSA-6v52-mj5r-7j2m	Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core	8.5.39-1ubuntu1~18.04.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-m8ve-za8b-aaap Aliases: CVE-2017-12616 GHSA-8qq4-8jvq-mfw4	Information Exposure When using a `VirtualDirContext` with Apache Tomcat it is possible to bypass security constraints and/or view the source code of JSPs for resources served by the `VirtualDirContext` using a specially crafted request.	8.5.30-1ubuntu1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u7ka-jfwa-aaam Aliases: CVE-2017-15706 GHSA-372q-33vh-8mpc	Improperly Implemented Security Check for Standard Some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.	8.5.30-1ubuntu1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zxmb-hhr6-aaap Aliases: CVE-2019-0199 GHSA-qcxh-w3j9-58qr	Denial of Service in Tomcat	8.5.39-1ubuntu1~18.04.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	8.5.39-1ubuntu1~18.04.3
Latest non-vulnerable version	8.5.39-1ubuntu1~18.04.3
Risk	10.0

Vulnerability	Summary	Aliases
VCID-11gb-2qp7-aaaj	Exposure of Resource to Wrong Sphere Some calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.	CVE-2017-5648 GHSA-3vx3-xf6q-r5xp
VCID-w4q7-4d2t-aaan	Information Exposure When "send file" is used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.	CVE-2017-5647 GHSA-3gv7-3h64-78cm