Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat@8.5.68
purl pkg:maven/org.apache.tomcat/tomcat@8.5.68
Next non-vulnerable version 9.0.83
Latest non-vulnerable version 11.0.10
Risk 10.0
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-2n65-91en-cqa8
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
8.5.96
Affected by 1 other vulnerability.
9.0.83
Affected by 0 other vulnerabilities.
10.1.16
Affected by 0 other vulnerabilities.
11.0.0-M11
Affected by 3 other vulnerabilities.
11.0.1
Affected by 3 other vulnerabilities.
VCID-7nj6-9exh-5qgr
Aliases:
CVE-2022-42252
GHSA-p22x-g9px-3945
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
8.5.83
Affected by 4 other vulnerabilities.
9.0.68
Affected by 3 other vulnerabilities.
10.0.27
Affected by 1 other vulnerability.
10.1.1
Affected by 3 other vulnerabilities.
VCID-8m28-utzk-x7gj
Aliases:
CVE-2022-25762
GHSA-h3ch-5pp2-vh6w
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
8.5.75
Affected by 8 other vulnerabilities.
8.5.76
Affected by 7 other vulnerabilities.
9.0.20
Affected by 18 other vulnerabilities.
9.0.21
Affected by 17 other vulnerabilities.
VCID-ghc6-gmwn-wyg2
Aliases:
CVE-2022-29885
GHSA-r84p-88g2-2vx2
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
8.5.79
Affected by 5 other vulnerabilities.
9.0.63
Affected by 5 other vulnerabilities.
10.0.21
Affected by 3 other vulnerabilities.
10.1.0-M15
Affected by 1 other vulnerability.
10.1.1
Affected by 3 other vulnerabilities.
VCID-jubv-tebw-3fgb
Aliases:
CVE-2022-34305
GHSA-6j88-6whg-x687
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
8.5.82
Affected by 4 other vulnerabilities.
9.0.65
Affected by 4 other vulnerabilities.
10.0.22
Affected by 3 other vulnerabilities.
10.0.23
Affected by 2 other vulnerabilities.
10.1.0-M17
Affected by 1 other vulnerability.
VCID-khwj-pqm5-rbc4
Aliases:
CVE-2021-42340
GHSA-wph7-x527-w3h5
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
8.5.72
Affected by 8 other vulnerabilities.
9.0.54
Affected by 7 other vulnerabilities.
10.0.12
Affected by 5 other vulnerabilities.
10.1.0-M6
Affected by 1 other vulnerability.
10.1.1
Affected by 3 other vulnerabilities.
VCID-mx9m-1qg7-67gh
Aliases:
CVE-2021-43980
GHSA-jx7c-7mj5-9438
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
8.5.78
Affected by 6 other vulnerabilities.
9.0.62
Affected by 6 other vulnerabilities.
10.0.20
Affected by 4 other vulnerabilities.
10.1.0-M14
Affected by 2 other vulnerabilities.
10.1.1
Affected by 3 other vulnerabilities.
VCID-nq3y-spqj-qyca
Aliases:
CVE-2018-1305
GHSA-jx6h-3fjx-cgv5
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
9.0.5
Affected by 26 other vulnerabilities.
VCID-r5jp-6b4w-rffw
Aliases:
CVE-2023-41080
GHSA-q3mw-pvr8-9ggc
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
8.5.93
Affected by 6 other vulnerabilities.
9.0.80
Affected by 5 other vulnerabilities.
10.1.13
Affected by 4 other vulnerabilities.
11.0.0-M11
Affected by 3 other vulnerabilities.
11.0.1
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-1nex-fumc-nfgc Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. CVE-2021-33037
GHSA-4vww-mc66-62m6

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T13:38:57.870881+00:00 GHSA Importer Fixing VCID-1nex-fumc-nfgc https://github.com/advisories/GHSA-4vww-mc66-62m6 37.0.0
2025-08-01T11:26:44.026862+00:00 GitLab Importer Affected by VCID-2n65-91en-cqa8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml 37.0.0
2025-08-01T11:18:24.603663+00:00 GitLab Importer Affected by VCID-r5jp-6b4w-rffw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-41080.yml 37.0.0
2025-08-01T10:52:43.099861+00:00 GitLab Importer Affected by VCID-7nj6-9exh-5qgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-42252.yml 37.0.0
2025-08-01T10:48:53.927620+00:00 GitLab Importer Affected by VCID-mx9m-1qg7-67gh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2021-43980.yml 37.0.0
2025-08-01T10:41:07.924296+00:00 GitLab Importer Affected by VCID-jubv-tebw-3fgb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-34305.yml 37.0.0
2025-08-01T10:27:49.230813+00:00 GitLab Importer Affected by VCID-8m28-utzk-x7gj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-25762.yml 37.0.0
2025-08-01T10:22:33.275893+00:00 GitLab Importer Affected by VCID-ghc6-gmwn-wyg2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-29885.yml 37.0.0
2025-08-01T10:04:32.141184+00:00 GitLab Importer Affected by VCID-khwj-pqm5-rbc4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2021-42340.yml 37.0.0
2025-08-01T09:06:29.400491+00:00 GitLab Importer Affected by VCID-nq3y-spqj-qyca https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml 37.0.0
2025-07-31T08:50:30.824329+00:00 GithubOSV Importer Fixing VCID-1nex-fumc-nfgc https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-4vww-mc66-62m6/GHSA-4vww-mc66-62m6.json 37.0.0
2025-07-31T08:03:21.734556+00:00 Apache Tomcat Importer Fixing VCID-1nex-fumc-nfgc https://tomcat.apache.org/security-8.html 37.0.0