VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat@9.0.88

Search for packages

Package details: pkg:maven/org.apache.tomcat/tomcat@9.0.88

Essentials
History (36)

purl	pkg:maven/org.apache.tomcat/tomcat@9.0.88

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Vulnerabilities affecting this package (7)

Vulnerability	Summary	Fixed by
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-g1y6-gy6q-kbfm Aliases: CVE-2024-56337 GHSA-27hp-xhwr-wr2m	Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability	9.0.98 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.34 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.
VCID-mmcg-y2kn-aaab Aliases: CVE-2013-4286 GHSA-j448-j653-r3vj	Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.	There are no reported fixed by versions.
VCID-s526-jddr-jqd1 Aliases: CVE-2024-38286 GHSA-7jqf-v358-p8g7	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	9.0.90 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.25 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M21 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xwgq-td7d-uydt Aliases: CVE-2025-24813 GHSA-83qj-6fr2-vhqg	tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT	9.0.99 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.35 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-yktk-48uz-aaac Aliases: CVE-2024-34750 GHSA-wm9w-rjj3-j356	Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.	9.0.90 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.25 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M21 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-21T19:22:54.155981+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-9.html	36.1.3
2025-06-21T19:22:50.867285+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-9.html	36.1.3
2025-06-21T19:22:32.937525+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.1.3
2025-06-21T19:22:24.210586+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.1.3
2025-06-05T11:12:08.305766+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-9.html	36.1.0
2025-06-05T11:12:05.678980+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-9.html	36.1.0
2025-06-05T11:11:51.096079+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.1.0
2025-06-05T11:11:43.882841+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.1.0
2025-06-03T00:01:43.741239+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-9.html	36.1.2
2025-06-03T00:01:41.199791+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-9.html	36.1.2
2025-06-03T00:01:26.657489+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.1.2
2025-06-03T00:01:19.720666+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.1.2
2025-04-07T11:50:25.395748+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-9.html	36.0.0
2025-04-07T11:50:18.150527+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-9.html	36.0.0
2025-04-07T11:49:35.325324+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.0.0
2025-04-07T11:49:14.655057+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.0.0
2025-02-22T08:04:07.005976+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-9.html	35.1.0
2025-02-22T08:01:35.565046+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	35.1.0
2025-02-22T08:01:31.701476+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	35.1.0
2024-11-24T14:59:55.731289+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	35.0.0
2024-10-11T09:26:40.245706+00:00	Apache Tomcat Importer	Affected by	VCID-s526-jddr-jqd1	https://tomcat.apache.org/security-9.html	34.0.2
2024-10-11T09:26:39.367982+00:00	Apache Tomcat Importer	Affected by	VCID-yktk-48uz-aaac	https://tomcat.apache.org/security-9.html	34.0.2
2024-10-11T09:25:28.890351+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	34.0.2
2024-10-11T09:25:15.738036+00:00	Apache Tomcat Importer	Affected by	VCID-ma76-864y-aaaf	https://tomcat.apache.org/security-4.html	34.0.2
2024-10-07T17:15:07.131888+00:00	GHSA Importer	Affected by	VCID-ah95-hj74-aaaq	https://github.com/advisories/GHSA-xjgh-84hx-56c5	34.0.2
2024-09-25T23:21:45.558803+00:00	Apache Tomcat Importer	Affected by	VCID-s526-jddr-jqd1	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-22T17:38:33.603324+00:00	GHSA Importer	Affected by	VCID-ah95-hj74-aaaq	https://github.com/advisories/GHSA-xjgh-84hx-56c5	34.0.1
2024-09-20T08:49:48.222125+00:00	Apache Tomcat Importer	Affected by	VCID-yktk-48uz-aaac	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-20T08:48:36.985304+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	34.0.1
2024-09-20T08:48:23.939360+00:00	Apache Tomcat Importer	Affected by	VCID-ma76-864y-aaaf	https://tomcat.apache.org/security-4.html	34.0.1
2024-04-26T06:10:55.264601+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	34.0.0rc4
2024-04-26T06:10:53.309469+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	34.0.0rc4
2024-04-26T06:10:20.330553+00:00	Apache Tomcat Importer	Affected by	VCID-ma76-864y-aaaf	None	34.0.0rc4
2024-04-26T06:10:18.349567+00:00	Apache Tomcat Importer	Affected by	VCID-ma76-864y-aaaf	https://tomcat.apache.org/security-4.html	34.0.0rc4
2024-04-23T18:39:10.945026+00:00	GHSA Importer	Affected by	VCID-ah95-hj74-aaaq	None	34.0.0rc4
2024-04-23T18:39:06.521741+00:00	GHSA Importer	Affected by	VCID-ah95-hj74-aaaq	https://github.com/advisories/GHSA-xjgh-84hx-56c5	34.0.0rc4