Lucene search
K
TomcatMost viewed

345 matches found

Apache Tomcat
Apache Tomcat
•added 2018/06/26 12:0 a.m.•108 views

Fixed in Apache Tomcat 8.5.32

Important: Information Disclosure CVE-2018-8037 If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present...

9.8CVSS7AI score0.21979EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/02/24 12:0 a.m.•107 views

Fixed in Apache Tomcat 10.1.6

Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...

4.3CVSS6AI score0.01831EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2019/12/17 12:0 a.m.•107 views

Fixed in Apache Tomcat 7.0.99

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...

7.5CVSS7.5AI score0.10687EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2016/11/08 12:0 a.m.•103 views

Fixed in Apache Tomcat 9.0.0.M13

Note: The issues below were fixed in Apache Tomcat 9.0.0.M12 but the release vote for the 9.0.0.M12 release candidate did not pass. Therefore, although users must download 9.0.0.M13 to obtain a version that includes fixes for these issues, version 9.0.0.M12 is not included in the list of affected...

10CVSS9.6AI score0.92334EPSS
Exploits8Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/02/17 12:0 a.m.•103 views

Fixed in Apache Tomcat 7.0.52

Note: The issue below was fixed in Apache Tomcat 7.0.51 but the release vote for the 7.0.51 release candidate did not pass. Therefore, although users must download 7.0.52 to obtain a version that includes a fix for this issue, version 7.0.51 is not included in the list of affected versions...

7.5CVSS6.9AI score0.83175EPSS
Exploits8Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/02/24 12:0 a.m.•102 views

Fixed in Apache Tomcat 8.5.86

Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...

4.3CVSS6AI score0.01831EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2019/06/07 12:0 a.m.•100 views

Fixed in Apache Tomcat 9.0.21

Important: Request mix-up CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a...

8.6CVSS8.3AI score0.07538EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/06/25 12:0 a.m.•99 views

Fixed in Apache Tomcat 9.0.10

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833757. This issue was reported publicly on 11 June 2018 and formally announced as a...

7.5CVSS6.8AI score0.213EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2020/07/05 12:0 a.m.•98 views

Fixed in Apache Tomcat 9.0.37

Important: WebSocket DoS CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. This was fixed with commit 40fa74c7. This issue wa...

7.5CVSS7.6AI score0.87553EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/02/11 12:0 a.m.•98 views

Fixed in Apache Tomcat 8.0.3

Note: The issue below was fixed in Apache Tomcat 8.0.2 but the release vote for the 8.0.2 release candidates did not pass. Therefore, although users must download 8.0.3 to obtain a version that includes a fix for this issue, version 8.0.2 is not included in the list of affected versions. Importan...

7.5CVSS6.9AI score0.83175EPSS
Exploits8Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/04/01 12:0 a.m.•97 views

Fixed in Apache Tomcat 8.5.78

High: Information Disclosure CVE-2021-43980 The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug that could cause client connections to share an...

3.7CVSS5.3AI score0.01746EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2016/11/14 12:0 a.m.•96 views

Fixed in Apache Tomcat 7.0.73

Important: Remote Code Execution CVE-2016-8735 The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as...

9.8CVSS9.1AI score0.90338EPSS
Exploits7Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/04/07 12:0 a.m.•93 views

Fixed in Apache Tomcat 6.0.53

Important: Information Disclosure CVE-2017-5647 A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong...

7.5CVSS8.3AI score0.1684EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/09/10 12:0 a.m.•91 views

Fixed in Apache Tomcat 8.5.34

Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...

4.3CVSS5.2AI score0.94494EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/08/13 12:0 a.m.•91 views

Fixed in Apache Tomcat 6.0.14

Low: Cross-site scripting CVE-2007-2449 JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note...

4.3CVSS6.2AI score0.77376EPSS
Exploits7Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/07/20 12:0 a.m.•90 views

Fixed in Apache Tomcat 9.0.65

Low: Apache Tomcat XSS in examples web application CVE-2022-34305 The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. This was fixed with commit 8b60af90. This issue was reported to the Apache Tomcat Securit...

6.1CVSS6.2AI score0.06156EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/05/12 12:0 a.m.•88 views

Fixed in Apache Tomcat 8.5.66

Low: Authentication weakness CVE-2021-30640 Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data eg user names as well as configuration data provided by an administrator. In limited circumstances it was possible for...

6.5CVSS6.8AI score0.09886EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/06/15 12:0 a.m.•87 views

Fixed in Apache Tomcat 8.5.68

Note: The issue below was fixed in Apache Tomcat 8.5.67 but the release vote for the 8.5.67 release candidate did not pass. Therefore, although users must download 8.5.68 to obtain a version that includes a fix for this issue, version 8.5.67 is not included in the list of affected versions...

5.3CVSS6AI score0.75353EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/10/04 12:0 a.m.•87 views

Fixed in Apache Tomcat 7.0.82

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

8.1CVSS8.4AI score0.99988EPSS
Exploits23Affected Software1
Apache Tomcat
Apache Tomcat
•added 2009/09/04 12:0 a.m.•87 views

Fixed in Apache Tomcat 5.5.28

Important: Information Disclosure CVE-2008-5515 When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be...

5CVSS5.4AI score0.9444EPSS
Exploits8Affected Software1
Apache Tomcat
Apache Tomcat
•added 2024/06/19 12:0 a.m.•85 views

Fixed in Apache Tomcat 10.1.25

Important: Denial of Service CVE-2024-34750 When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain...

8.6CVSS7.6AI score0.04602EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/05/16 12:0 a.m.•85 views

Fixed in Apache Tomcat 9.0.9

Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...

9.8CVSS8.7AI score0.21979EPSS
Exploits0
Apache Tomcat
Apache Tomcat
•added 2018/05/04 12:0 a.m.•85 views

Fixed in Apache Tomcat 8.5.31

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830374. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/07/01 12:0 a.m.•85 views

Fixed in Apache Tomcat 7.0.79

Moderate: Cache Poisoning CVE-2017-7674 The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. This was fixed in revision 1795816. The issue was reported as bug 61101 on ...

4.3CVSS5.9AI score0.08037EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/03/30 12:0 a.m.•85 views

Fixed in Apache Tomcat 8.5.13

Important: Information Disclosure CVE-2017-5651 The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could resu...

9.8CVSS8.5AI score0.1684EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/03/13 12:0 a.m.•85 views

Fixed in Apache Tomcat 8.5.12

Low: Information Disclosure CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to...

9.1CVSS9.2AI score0.13225EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2008/07/31 12:0 a.m.•85 views

Fixed in Apache Tomcat 6.0.18

Note: These issues were fixed in Apache Tomcat 6.0.17 but the release vote for that release candidate did not pass. Therefore, although users must download 6.0.18 to obtain a version that includes fixes for these issues, 6.0.17 is not included in the list of affected versions. Low: Cross-site...

5CVSS7.6AI score0.75865EPSS
Exploits5Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/01/13 12:0 a.m.•84 views

Fixed in Apache Tomcat 10.1.5

Important: Apache Tomcat denial of service CVE-2023-24998 Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload...

7.5CVSS7.7AI score0.46836EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2015/01/16 12:0 a.m.•84 views

Fixed in Apache Tomcat 8.0.17

Note: The issue below was fixed in Apache Tomcat 8.0.16 but the release vote for the 8.0.16 release candidate did not pass. Therefore, although users must download 8.0.17 to obtain a version that includes a fix for this issue, version 8.0.16 is not included in the list of affected versions...

5CVSS6.7AI score0.13872EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/04/18 12:0 a.m.•83 views

Fixed in Apache Tomcat 9.0.74

Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...

7.5CVSS7.8AI score0.51547EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/02/11 12:0 a.m.•83 views

Fixed in Apache Tomcat 8.5.28

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

6.5CVSS6.8AI score0.17716EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/09/30 12:0 a.m.•83 views

Fixed in Apache Tomcat 9.0.1

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

8.1CVSS8.4AI score0.99988EPSS
Exploits23Affected Software1
Apache Tomcat
Apache Tomcat
•added 2019/02/08 12:0 a.m.•82 views

Fixed in Apache Tomcat 8.5.38

Important: Denial of Service CVE-2019-0199 The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's...

7.5CVSS6.7AI score0.72855EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/03/13 12:0 a.m.•81 views

Fixed in Apache Tomcat 9.0.0.M18

Low: Information Disclosure CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to...

9.1CVSS9.2AI score0.13225EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2016/06/13 12:0 a.m.•81 views

Fixed in Apache Tomcat 9.0.0.M8

Note: The issue below was fixed in Apache Tomcat 9.0.0.M7 but the release vote for the 9.0.0.M7 release candidate did not pass. Therefore, although users must download 9.0.0.M8 to obtain a version that includes fixes for these issues, version 9.0.0.M7 is not included in the list of affected...

7.8CVSS6.8AI score0.35927EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/02/05 12:0 a.m.•80 views

Fixed in Apache Tomcat 7.0.108

Low: Fix forCVE-2020-9484 was incomplete CVE-2021-25329 The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the...

7CVSS7.2AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/11/22 12:0 a.m.•80 views

Fixed in Apache Tomcat 6.0.43

Note: The issue below was fixed in Apache Tomcat 6.0.42 but the release vote for the 6.0.42 release candidate did not pass. Therefore, although users must download 6.0.43 to obtain a version that includes a fix for this issue, version 6.0.42 is not included in the list of affected versions...

6.4CVSS6.3AI score0.21045EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/02/23 12:0 a.m.•79 views

Fixed in Apache Tomcat 11.0.0-M3

Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...

7.5CVSS6.6AI score0.46836EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2020/07/07 12:0 a.m.•79 views

Fixed in Apache Tomcat 7.0.105

Important: WebSocket DoS CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. This was fixed with commits f9f75c14 and 4c049828...

7.5CVSS7.5AI score0.87553EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2012/10/10 12:0 a.m.•79 views

Fixed in Apache Tomcat 5.5.36

Moderate: DIGEST authentication weakness CVE-2012-3439 Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: 1. Tomcat tracked client rather than server nonces and nonce count. 2. When a session ID was present, authentication was bypassed. 3. The user...

6.5AI score
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/04/19 12:0 a.m.•78 views

Fixed in Apache Tomcat 11.0.0-M5

Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...

7.5CVSS7.8AI score0.46836EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/07/26 12:0 a.m.•78 views

Fixed in Apache Tomcat 10.0.23

Low: Apache Tomcat XSS in examples web application CVE-2022-34305 The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. This was fixed with commit 1a7e95d9. This issue was reported to the Apache Tomcat Securit...

6.1CVSS6.2AI score0.06156EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2015/05/12 12:0 a.m.•78 views

Fixed in Apache Tomcat 6.0.44

Low: Denial of Service CVE-2014-0230 When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the...

7.8CVSS6.5AI score0.20318EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/01/20 12:0 a.m.•77 views

Fixed in Apache Tomcat 10.1.0-M10

Note: The issue below was fixed in Apache Tomcat 10.1.0-M9 but the release vote for the 10.1.0-M9 release candidate did not pass. Therefore, although users must download 10.1.0-M10 to obtain a version that includes a fix for these issues, version 10.1.0-M9 is not included in the list of affected...

7CVSS7.1AI score0.00692EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/02/02 12:0 a.m.•76 views

Fixed in Apache Tomcat 8.5.63

Note: The issues below were fixed in Apache Tomcat 8.5.62 but the release vote for the 8.5.62 release candidate did not pass. Therefore, although users must download 8.5.63 to obtain a version that includes a fix for these issues, version 8.5.62 is not included in the list of affected versions...

7.5CVSS7.2AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
•added 2019/12/12 12:0 a.m.•76 views

Fixed in Apache Tomcat 8.5.50

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...

7.5CVSS7.7AI score0.10687EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/03/09 12:0 a.m.•76 views

Fixed in Apache Tomcat 5.5.23, 5.0.SVN

Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components firewalls, caches, proxies and Tomcat process a sequence of requests where one or more requests contain multiple content-length headers and several...

4.3CVSS3.3AI score0.29784EPSS
Exploits4Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/10/10 12:0 a.m.•75 views

Fixed in Apache Tomcat 10.1.14

Important: Request smuggling CVE-2023-45648 Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. This was fixe...

7.5CVSS7.7AI score0.99999EPSS
Exploits21Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/06/15 12:0 a.m.•75 views

Fixed in Apache Tomcat 9.0.48

Note: The issue below was fixed in Apache Tomcat 9.0.47 but the release vote for the 9.0.47 release candidate did not pass. Therefore, although users must download 9.0.48 to obtain a version that includes a fix for this issue, version 9.0.47 is not included in the list of affected versions...

5.3CVSS6AI score0.75353EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2019/11/21 12:0 a.m.•75 views

Fixed in Apache Tomcat 8.5.49

Note: The issue below was fixed in Apache Tomcat 8.0.48 but the release vote for the 8.0.48 release candidate did not pass. Therefore, although users must download 8.0.49 to obtain a version that includes the fix for this issue, version 8.0.48 is not included in the list of affected versions...

7CVSS7.3AI score0.37618EPSS
Exploits0Affected Software1
Total number of security vulnerabilities345