Lucene search
K
TomcatMost viewed

345 matches found

Apache Tomcat
Apache Tomcat
•added 2016/02/08 12:0 a.m.•62 views

Fixed in Apache Tomcat 8.0.32

Note: The issues below were fixed in Apache Tomcat 8.0.31 but the release vote for the 8.0.31 release candidate did not pass. Therefore, although users must download 8.0.32 to obtain a version that includes fixes for these issues, version 8.0.31 is not included in the list of affected versions...

8.8CVSS7.7AI score0.13075EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2008/02/08 12:0 a.m.•62 views

Fixed in Apache Tomcat 6.0.16

Low: Session hi-jacking CVE-2007-5333 The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Affects: 6.0.0-6.0.14 Low: Elevated privileges CVE-2007-5342 The JULI logging component allows web applications to provide their own logging...

6.4CVSS4.8AI score0.62575EPSS
Exploits9Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/11/14 12:0 a.m.•61 views

Fixed in Apache Tomcat 10.1.16

Important: Request smuggling CVE-2023-46589 Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a...

7.5CVSS7.6AI score0.02651EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/05/19 12:0 a.m.•60 views

Fixed in Apache Tomcat 8.5.89

Important: Information disclosure CVE-2023-34981 The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SENDHEADERS message would be sent which in turn meant that at least one AJP based proxy...

7.5CVSS7.3AI score0.01116EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/04/06 12:0 a.m.•60 views

Fixed in Apache Tomcat 10.0.5

Important: Denial of Service CVE-2021-30639 An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future...

7.5CVSS7.4AI score0.06889EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2020/06/07 12:0 a.m.•60 views

Fixed in Apache Tomcat 10.0.0-M6

Important: HTTP/2 DoS CVE-2020-11996 A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. This was fixed with commit 9434a44d. Thi...

7.5CVSS7.5AI score0.26699EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/05/16 12:0 a.m.•60 views

Fixed in Apache Tomcat 7.0.89

Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...

9.8CVSS8.7AI score0.21979EPSS
Exploits0
Apache Tomcat
Apache Tomcat
•added 2018/02/13 12:0 a.m.•60 views

Fixed in Apache Tomcat 8.0.50

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

6.5CVSS6.8AI score0.17716EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/05/10 12:0 a.m.•60 views

Fixed in Apache Tomcat 9.0.0.M21

Important: Security Constraint Bypass CVE-2017-5664 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the...

7.5CVSS7.6AI score0.16567EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/08/18 12:0 a.m.•60 views

Fixed in Apache Tomcat 6.0.33

Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184 Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security tea...

5CVSS5.4AI score0.0854EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/02/28 12:0 a.m.•60 views

Fixed in Apache Tomcat 6.0.10

Important: Directory traversal CVE-2007-0450 Tomcat permits '', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy including, but not limited to, Apache HTTP server with modproxy and modjk configured to only proxy some contexts, a HTTP request containing strings like "/\../"...

5CVSS6AI score0.90768EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/05/08 12:0 a.m.•59 views

Fixed in Apache Tomcat 8.0.52

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830375. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/03/14 12:0 a.m.•59 views

Fixed in Apache Tomcat 8.0.42

Low: Information Disclosure CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to...

9.1CVSS9.2AI score0.13225EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2016/12/08 12:0 a.m.•59 views

Fixed in Apache Tomcat 8.5.9

Important: Information Disclosure CVE-2016-8745 A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests...

7.5CVSS7.6AI score0.16038EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2016/01/05 12:0 a.m.•59 views

Fixed in Apache Tomcat 9.0.0.M3

Moderate: Security Manager bypass CVE-2016-0763 This issue only affects users running untrusted web applications under a security manager. ResourceLinkFactory.setGlobalContext is a public method and was accessible to web applications even when running under a security manager. This allowed a...

8.8CVSS7.8AI score0.1838EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/11/25 12:0 a.m.•59 views

Fixed in Apache Tomcat 7.0.23

Important: Denial of service CVE-2012-0022 Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to...

5CVSS5.4AI score0.1086EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2010/01/21 12:0 a.m.•59 views

Fixed in Apache Tomcat 6.0.24

Note: These issues were fixed in Apache Tomcat 6.0.21 but the release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did not pass. Therefore, although users must download 6.0.24 to obtain a version that includes fixes for these issues, versions 6.0.21 onwards are not included in the...

7.5CVSS5.9AI score0.78995EPSS
Exploits10Affected Software1
Apache Tomcat
Apache Tomcat
•added 2024/12/09 12:0 a.m.•58 views

Fixed in Apache Tomcat 9.0.98

Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337 The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 9.0.98 or later, users running Tomcat on a case insensitive file system with the...

9.8CVSS8.3AI score0.43663EPSS
Exploits13Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/05/16 12:0 a.m.•58 views

Fixed in Apache Tomcat 10.1.0-M15

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

7.5CVSS7.5AI score0.71653EPSS
Exploits5Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/02/02 12:0 a.m.•58 views

Fixed in Apache Tomcat 10.0.2

Note: The issues below were fixed in Apache Tomcat 10.0.1 but the release vote for the 10.0.1 release candidate did not pass. Therefore, although users must download 10.0.2 to obtain a version that includes a fix for these issues, version 10.0.1 is not included in the list of affected versions...

7CVSS7.2AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/12/05 12:0 a.m.•58 views

Fixed in Apache Tomcat 6.0.35

Note: The issues below were fixed in Apache Tomcat 6.0.34 but the release vote for the 6.0.34 release candidate did not pass. Therefore, although users must download 6.0.35 to obtain a version that includes a fix for this issue, version 6.0.34 is not included in the list of affected versions...

7.5CVSS7.2AI score0.15226EPSS
Exploits4Affected Software1
Apache Tomcat
Apache Tomcat
•added 2024/06/19 12:0 a.m.•58 views

Fixed in Apache Tomcat 9.0.90

Important: Denial of Service CVE-2024-34750 When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain...

8.6CVSS7.6AI score0.04602EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2016/06/20 12:0 a.m.•57 views

Fixed in Apache Tomcat 7.0.70

Moderate: Denial of Service CVE-2016-3092 Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the...

7.8CVSS6.7AI score0.35927EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2012/09/06 12:0 a.m.•57 views

Fixed in Apache Tomcat 7.0.30

Important: Denial of service CVE-2012-3544 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server. This was...

5CVSS6.8AI score0.11975EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/09/01 12:0 a.m.•57 views

Fixed in Apache Tomcat 7.0.21

Important: Authentication bypass and information disclosure CVE-2011-3190 Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request include...

7.5CVSS6.3AI score0.15226EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2008/01/21 12:0 a.m.•57 views

Fixed in Apache Tomcat 4.1.39

Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. This was fixed i...

5CVSS7.5AI score0.75865EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2000/07/19 12:0 a.m.•57 views

Fixed in Apache Tomcat 3.3a

Moderate: Information disclosure CVE-2002-2007 Non-standard requests to the sample applications installed by default could result in unexpected directory listings or disclosure of the full file system path for a JSP. Affects: 3.2.3-3.2.4 Low: Information disclosure CVE-2002-2006, CVE-2000-0760 Th...

6.4CVSS5.9AI score0.62496EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/08/13 12:0 a.m.•56 views

Fixed in Apache Tomcat 8.5.82

Low: Apache Tomcat XSS in examples web application CVE-2022-34305 The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. This was fixed with commit 5f6c88b0. This issue was reported to the Apache Tomcat Securit...

6.1CVSS6.2AI score0.06156EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2012/01/16 12:0 a.m.•56 views

Fixed in Apache Tomcat 5.5.35

Important: Denial of service CVE-2012-0022 Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to...

5CVSS5.4AI score0.1086EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/05/16 12:0 a.m.•55 views

Fixed in Apache Tomcat 7.0.88

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830376. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/05/23 12:0 a.m.•55 views

Fixed in Apache Tomcat 6.0.41

Note: The issues below were fixed in Apache Tomcat 6.0.40 but the release vote for the 6.0.40 release candidate did not pass. Therefore, although users must download 6.0.41 to obtain a version that includes fixes for these issues, version 6.0.40 is not included in the list of affected versions...

5CVSS8.5AI score0.2006EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2012/10/19 12:0 a.m.•55 views

Fixed in Apache Tomcat 6.0.36

Important: Denial of service CVE-2012-2733 The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large...

5CVSS6.9AI score0.11975EPSS
Exploits4Affected Software1
Apache Tomcat
Apache Tomcat
•added 2008/09/08 12:0 a.m.•55 views

Fixed in Apache Tomcat 5.5.27

Low: Cross-site scripting CVE-2008-1232 The message argument of HttpServletResponse.sendError call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted...

5CVSS7.5AI score0.75865EPSS
Exploits5Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/02/01 12:0 a.m.•54 views

Fixed in Apache Tomcat 5.5.32

Low: Cross-site scripting CVE-2011-0013 The HTML Manager interface displayed web application provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administrative user when viewing the manager pages. This was fixed in revision...

4.3CVSS5.4AI score0.10228EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/05/09 12:0 a.m.•54 views

Fixed in Apache Tomcat 5.5.21, 5.0.SVN

Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploi...

2.6CVSS8.6AI score0.19889EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/02/08 12:0 a.m.•54 views

Fixed in Apache Tomcat 6.0.9

Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. Affects:...

5CVSS7.7AI score0.19622EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2006/03/15 12:0 a.m.•54 views

Fixed in Apache Tomcat 5.5.16, 5.0.SVN

Low: Cross-site scripting CVE-2006-7196 The calendar application included as part of the JSP examples is susceptible to a cross-site scripting attack as it does not escape user provided data before including it in the returned page. Affects: 5.0.0-5.0.30, 5.5.0-5.5.15...

4.3CVSS5.4AI score0.72168EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2020/11/17 12:0 a.m.•53 views

Fixed in Apache Tomcat 10.0.0-M10

Important: Information disclosure CVE-2021-24122 When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API...

7.5CVSS6.9AI score0.24622EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/06/26 12:0 a.m.•53 views

Fixed in Apache Tomcat 9.0.0.M22

Important: Security Constraint Bypass CVE-2017-7675 The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL. This was fixed in revision 1796090. The issue was...

7.5CVSS6.2AI score0.1014EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/01/05 12:0 a.m.•53 views

Fixed in Apache Tomcat 6.0.50

Note: The issue below was fixed in Apache Tomcat 6.0.49 but the release vote for the 6.0.49 release candidate did not pass. Therefore, although users must download 6.0.50 to obtain a version that includes the fix for this issue, version 6.0.49 is not included in the list of affected versions...

7.5CVSS7.6AI score0.16038EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2012/06/19 12:0 a.m.•53 views

Fixed in Apache Tomcat 7.0.28

Important: Denial of service CVE-2012-2733 The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large...

5CVSS9.5AI score0.08742EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/09/22 12:0 a.m.•53 views

Fixed in Apache Tomcat 5.5.34

Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184 Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security tea...

7.5CVSS6.6AI score0.15226EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2010/04/20 12:0 a.m.•53 views

Fixed in Apache Tomcat 5.5.29

Low: Arbitrary file deletion and/or alteration on deploy CVE-2009-2693 When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the...

7.5CVSS5.9AI score0.78995EPSS
Exploits10Affected Software1
Apache Tomcat
Apache Tomcat
•added 2005/06/06 12:0 a.m.•53 views

Fixed in Apache Tomcat 6.0.11

Moderate: Cross-site scripting CVE-2007-1355 The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided...

4.3CVSS4.4AI score0.58246EPSS
Exploits6Affected Software1
Apache Tomcat
Apache Tomcat
•added 2019/05/13 12:0 a.m.•52 views

Fixed in Apache Tomcat 9.0.20

Important: Denial of Service CVE-2019-10072 The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOWUPDATE messages for the connection window stream 0 clients were able to cause server-side threads to block eventually leading...

7.5CVSS6.9AI score0.72988EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/05/03 12:0 a.m.•52 views

Fixed in Apache Tomcat 9.0.8

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830373. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/07/01 12:0 a.m.•52 views

Fixed in Apache Tomcat 8.0.45

Moderate: Cache Poisoning CVE-2017-7674 The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. This was fixed in revision 1795815. The issue was reported as bug 61101 on ...

4.3CVSS5.9AI score0.08037EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/03/30 12:0 a.m.•52 views

Fixed in Apache Tomcat 7.0.53

Important: Denial of Service CVE-2014-0075 It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. This was...

5CVSS8.5AI score0.2006EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/01/31 12:0 a.m.•52 views

Fixed in Apache Tomcat 6.0.39

Note: The issues below were fixed in Apache Tomcat 6.0.38 but the release vote for 6.0.38 did not pass. Therefore, although users must download 6.0.39 to obtain a version that includes the fixes for these issues, version 6.0.38 is not included in the list of affected versions. Low: Frame injectio...

5.8CVSS7.3AI score0.66817EPSS
Exploits7Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/05/12 12:0 a.m.•51 views

Fixed in Apache Tomcat 10.0.6

Low: Authentication weakness CVE-2021-30640 Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data eg user names as well as configuration data provided by an administrator. In limited circumstances it was possible for...

6.5CVSS6.8AI score0.09886EPSS
Exploits0Affected Software1
Total number of security vulnerabilities345