Lucene search
K

17 matches found

OSV
OSV
added 2026/05/18 8:56 a.m.64 views

BIT-TOMCAT-2020-1938

When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that...

9.8CVSS7.7AI score0.9927EPSS
Exploits46References53
OSV
OSV
added 2026/03/24 10:21 a.m.44 views

BIT-TOMCAT-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 10.1.0 to 10.1.5, 9.0.0 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the...

4.3CVSS6.7AI score0.01831EPSS
Exploits0References3
OSV
OSV
added 2024/03/06 11:9 a.m.38 views

BIT-TOMCAT-2022-42252 Apache Tomcat request smuggling via malformed content-length

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0 to 9.0.67, 10.0.0 to 10.0.26 or 10.1.0 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false the default for 8.5.x only, Tomcat did not reject a request containing an invalid Content-Length header making a request...

7.5CVSS6.7AI score0.01448EPSS
Exploits0References3
0day.today
0day.today
added 2024/02/01 12:0 a.m.965 views

Apache Tomcat 8.5.63 / 9.0.43 HTTP Response Smuggling Vulnerability

Apache Tomcat suffers from a client-side de-sync vulnerability via HTTP request smuggling. Apache Tomcat versions 8.5.7 through 8.5.63 and 9.0.0-M11 through 9.0.43 are vulnerable. Exploit Title: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling Date: 1/31/2024 Exploit Author: xer0dayz Vendor...

5.3CVSS6.4AI score0.14286EPSS
Exploits3
Atlassian
Atlassian
added 2023/11/03 12:45 a.m.57 views

Request Smuggling org.apache.tomcat:tomcat-coyote in Confluence Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in version 7.19.0 of Confluence Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows an unauthenticated attacker t...

7.5CVSS7.1AI score0.01448EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2023/09/27 12:0 a.m.32 views

Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-002)

The version of tomcat installed on the remote host is prior to 8.5.79-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT8.5-2023-002 advisory. If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore...

7.5CVSS7.1AI score0.01448EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2023/09/27 12:0 a.m.46 views

Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-014)

The version of tomcat installed on the remote host is prior to 8.5.40-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT8.5-2023-014 advisory. The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided da...

6.1CVSS7AI score0.45571EPSS
Exploits3References4
NVD
NVD
added 2023/03/22 11:15 a.m.27 views

CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...

4.3CVSS5.8AI score0.01831EPSS
Exploits0References2
Cvelist
Cvelist
added 2023/03/22 10:10 a.m.53 views

CVE-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...

6.1AI score0.01831EPSS
Exploits0References1
OpenVAS
OpenVAS
added 2022/05/13 12:0 a.m.18 views

Apache Tomcat Request Mix-up Vulnerability (May 2022) - Linux

Apache Tomcat is prone to a request mix-up vulnerability. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you...

8.6CVSS8.5AI score0.08033EPSS
Exploits0References3
Atlassian
Atlassian
added 2022/03/10 4:57 a.m.61 views

Tomcat versions bundled with the Crowd product are vulnerable to CVE-2021-33037

The different Tomcat versions 8.5.X bundled to the Atlassian Crowd product versions lower than Crowd 4.4.1 are vulnerable to CVE-2021-33037|https://vulners.com/cve/CVE-2021-33037 The Tomcat versions from 8.5.0 to 8.5.66 are affected by the mentioned...

5.3CVSS6AI score0.75353EPSS
Exploits1
Cvelist
Cvelist
added 2020/06/26 4:27 p.m.38 views

CVE-2020-11996

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become...

7.5AI score0.26699EPSS
Exploits0References24
Tenable Nessus
Tenable Nessus
added 2020/02/28 12:0 a.m.170 views

Apache Tomcat 8.5.x < 8.5.51 Multiple Vulnerabilities

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 or 7.0.0 to 7.0.99. It is, therefore, affected by multiple vulnerabilities : - An arbitrary file read vulnerability in AJP protocol due to an implementation defect which could also be leveraged to...

9.8CVSS6.5AI score0.9927EPSS
Exploits46References4
CVE
CVE
added 2020/02/24 9:19 p.m.4246 views

CVE-2020-1938

CVE-2020-1938 (Tomcat AJP vulnerability) : The issue affects Apache Tomcat where the AJP Connector, enabled by default in several legacy releases, could be reached through untrusted networks. An attacker could exploit the configured AJP path to read arbitrary files in the web application and pote...

9.8CVSS9.9AI score0.9927EPSS
In wildExploits46References52Affected Software2
Kaspersky
Kaspersky
added 2019/02/08 12:0 a.m.37 views

KLA11494 DOS vulnerability in Apache Tomcat

Incorrect requests handling int Apache HTTP/2. Malicious users can exploit this vulnerability to cause denial of service. Original advisories Apache Tomcat 8.x Security Vulnerabilities Related products Apache-Tomcat CVE list CVE-2019-0199 warning Solution Update to the latest version Download...

7.5CVSS6.8AI score0.72855EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2018/01/31 2:0 p.m.42 views

CVE-2017-15706

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a...

5.3CVSS6AI score0.06083EPSS
Exploits0
NVD
NVD
added 2016/07/04 10:59 p.m.22 views

CVE-2016-3092

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service CPU consumption via a long boundary string...

7.8CVSS7.4AI score0.35927EPSS
Exploits0References49
Rows per page
Query Builder