345 matches found
Fixed in Apache Tomcat 8.0.41
Note: The issue below was fixed in Apache Tomcat 8.0.40 but the release vote for the 8.0.40 release candidate did not pass. Therefore, although users must download 8.0.41 to obtain a version that includes the fix for this issue, version 8.0.40 is not included in the list of affected versions...
Fixed in Apache Tomcat 8.0.30
Low: Directory disclosure CVE-2015-5345 When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was...
Fixed in Apache Tomcat 7.0.65
Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager. When accessing resources via the ServletContext methods getResource getResourceAsStream and getResourcePaths the paths should be limited to the current web...
Fixed in Apache Tomcat 7.0.47
Note: The issue below was fixed in Apache Tomcat 7.0.43 but the release votes for 7.0.43 to 7.0.46 did not pass. Therefore, although users must download 7.0.47 to obtain a version that includes a fix for this issue, versions 7.0.43 to 7.0.46 are not included in the list of affected versions...
Fixed in Apache Tomcat 7.0.22
Important: Information disclosure CVE-2011-3375 For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed t...
Fixed in Apache Tomcat 7.0.20
Important: Information disclosure CVE-2011-2729 Due to a bug in the capabilities code, jsvc the service wrapper for Linux that is part of the Commons Daemon project does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only occu...
Fixed in Apache Tomcat 7.0.8
Note: The issue below was fixed in Apache Tomcat 7.0.7 but the release vote for the 7.0.7 release candidate did not pass. Therefore, although users must download 7.0.8 to obtain a version that includes a fix for this issue, version 7.0.7 is not included in the list of affected versions. Important...
Fixed in Apache Tomcat 7.0.6
Low: Cross-site scripting CVE-2011-0013 The HTML Manager interface displayed web application provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administrative user when viewing the manager pages. This was fixed in revision...
Fixed in Apache Tomcat 7.0.5
Low: Cross-site scripting CVE-2010-4172 The Manager application used the user provided parameters sort and orderBy directly without filtering thereby permitting cross-site scripting. The CSRF protection, which is enabled by default, prevents an attacker from exploiting this. This was fixed in...
Fixed in Apache Tomcat JK Connector 1.2.23
Important: Information disclosure CVE-2007-1860 The issue is related to CVE-2007-0450, the patch for which was insufficient. When multiple components firewalls, caches, proxies and Tomcat process a request, the request URL should not get decoded multiple times in an iterative way by these...
Fixed in Apache Tomcat 11.0.0-M17
Important: Denial of Service CVE-2024-23672 It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. This was fixed with commit b0e3b1bd. This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made publi...
Fixed in Apache Tomcat 8.0.27
Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager. When accessing resources via the ServletContext methods getResource getResourceAsStream and getResourcePaths the paths should be limited to the current web...
Fixed in Apache Tomcat 8.0.5
Note: The issues below were fixed in Apache Tomcat 8.0.4 but the release vote for the 8.0.4 release candidate did not pass. Therefore, although users must download 8.0.5 to obtain a version that includes fixes for these issues, version 8.0.4 is not included in the list of affected versions...
Fixed in Apache Tomcat 6.0.28
Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227 Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail...
Fixed in Apache Tomcat 5.5.13, 5.0.SVN
Low: Directory listing CVE-2006-3835 This is expected behaviour when directory listings are enabled. The semicolon ; is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled...
Fixed in Apache Tomcat 11.0.0-M11
Moderate: Open redirect CVE-2023-41080 If the ROOT default web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. This was fixed with commit e3703c9a. This issue was reported ...
Fixed in Apache Tomcat 10.0.27
Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false not the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat wa...
Fixed in Apache Tomcat 10.0.0-M8
Moderate: HTTP/2 request mix-up CVE-2020-13943 If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2 protocol, it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo...
Fixed in Apache Tomcat 7.0.75
Important: Information Disclosure CVE-2016-8745 Note: The issue below was fixed in Apache Tomcat 7.0.74 but the release vote for the 7.0.74 release candidate did not pass. Therefore, although users must download 7.0.75 to obtain a version that includes the fix for this issue, version 7.0.74 is no...
Fixed in Apache Tomcat 7.0.67
Note: The issue below was fixed in Apache Tomcat 7.0.66 but the release vote for the 7.0.66 release candidate did not pass. Therefore, although users must download 7.0.67 to obtain a version that includes a fix for this issue, version 7.0.66 is not included in the list of affected versions. Low:...
Fixed in Apache Tomcat 7.0.11
Important: Security constraint bypass CVE-2011-1088 When a web application was started, ServletSecurity annotations were ignored. This meant that some areas of the application may not have been protected as expected. This was partially fixed in Apache Tomcat 7.0.10 and fully fixed in 7.0.11. This...
Fixed in Apache Tomcat 9.0.96
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 47307ee2. This issue was identified by the Tomcat Security Team on 1 October 2024...
Fixed in Apache Tomcat 7.0.50
Note: The issues below were fixed in Apache Tomcat 7.0.48 but the release votes for 7.0.48 to 7.0.49 did not pass. Therefore, although users must download 7.0.50 to obtain a version that includes fixes for these issues, versions 7.0.48 to 7.0.49 are not included in the list of affected versions...
Fixed in Apache Tomcat 8.0.0-RC10
Note: The issue below was fixed in Apache Tomcat 8.0.0-RC6 but the release votes for 8.0.0-RC6 to 8.0.0-RC9 did not pass. Therefore, although users must download 8.0.0-RC10 to obtain a version that includes a fix for this issue, versions 8.0.0-RC6 to 8.0.0-RC9 are not included in the list of...
Fixed in Apache Tomcat 6.0.37
Important: Session fixation CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that...
Fixed in Apache Tomcat 5.5.22, 5.0.SVN
Important: Directory traversal CVE-2007-0450 The fix for this issue was insufficient. A fix was also required in the JK connector module for httpd. See CVE-2007-1860 for further information. Tomcat permits '', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy including, but...
Fixed in Apache Tomcat 10.1.0-M6
Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...
Fixed in Apache Tomcat 10.0.7
Important: Request Smuggling CVE-2021-33037 Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility of request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header i...
Fixed in Apache Tomcat 10.0.4
Note: The issue below was fixed in Apache Tomcat 10.0.3 but the release vote for the 10.0.3 release candidate did not pass. Therefore, although users must download 10.0.4 to obtain a version that includes a fix for these issues, version 10.0.3 is not included in the list of affected versions...
Fixed in Apache Tomcat 7.0.54
Low: Information Disclosure CVE-2014-0119 In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors TLDs and tag plugin configuration files. The injected XML...
Fixed in Apache Tomcat 4.1.40
Important: Information Disclosure CVE-2008-5515 When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be...
Fixed in Apache Tomcat 5.5.21
Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. Affects:...
Fixed in Apache Tomcat 6.0.6
Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploi...
Fixed in Apache Tomcat 10.1.2
Low: Apache Tomcat JsonErrorReportValve injection CVE-2022-45143 The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or...
Fixed in Apache Tomcat JK Connector 1.2.46
Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 but the release vote for the 1.2.45 release candidate did not pass. Therefore, although users must download 1.2.46 to obtain a version that includes the fix for this issue, version 1.2.45 is not included in the list of affected...
Fixed in Apache Tomcat 7.0.32
Important: Bypass of CSRF prevention filter CVE-2012-4431 The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. This was fixed in revision 1393088. This issue was identified by the Tomcat security team on 8...
Fixed in Apache Tomcat 5.5.18, 5.0.SVN
Moderate: Cross-site scripting CVE-2006-7195 The implicit-objects.jsp in the examples webapp displayed a number of unfiltered header values. This enabled a XSS attack. These values are now filtered. Affects: 5.0.0-5.0.30, 5.5.0-5.5.17...
Fixed in Apache Tomcat 5.5.7, 5.0.SVN
Low: Cross-site scripting CVE-2005-4838 Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page. Affects: 5.0.0-5.0.30, 5.5.0-5.5.6...
Fixed in Apache Tomcat 4.1.12, 4.0.5
Important: Information disclosure CVE-2002-1148 A specially crafted URL using the default servlet can enable an attacker to obtain the source of JSP pages. Affects: 4.0.0-4.0.4, 4.1.0-4.1.11...
Fixed in Apache Tomcat 10.0.12
Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...
Fixed in Apache Tomcat 8.5.11
Note: The issue below was fixed in Apache Tomcat 8.5.10 but the release vote for the 8.5.10 release candidate did not pass. Therefore, although users must download 8.5.11 to obtain a version that includes the fix for this issue, version 8.5.10 is not included in the list of affected versions...
Fixed in Apache Tomcat 8.0.9
Important: Request Smuggling CVE-2014-0227 It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request. This was fixed in revisions 1600984, 1601329, 1601330 and 1601332. This issue was identified by the Tomcat...
Fixed in Apache Tomcat 7.0.4
Low: SecurityManager file permission bypass CVE-2010-3718 When running under a SecurityManager, access to the file system is limited but web applications are granted read/write permissions to the work directory. This directory is used for a variety of temporary files such as the intermediate file...
Fixed in Apache Tomcat 7.0.2
Note: The issue below was fixed in Apache Tomcat 7.0.1 but the release vote for the 7.0.1 release candidate did not pass. Therefore, although users must download 7.0.2 to obtain a version that includes a fix for this issue, version 7.0.2 is not included in the list of affected versions. Important...
Fixed in Apache Tomcat 3.3.1a
Important: Information disclosure CVE-2003-0043 When used with JDK 1.3.1 or earlier, web.xml files were read with trusted privileges enabling files outside of the web application to be read even when running under a security manager. Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1 Important:...
Fixed in Apache Tomcat 9.0.106
Moderate: Session fixation possible via rewrite valve CVE-2025-55668 If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's...
Fixed in Apache Tomcat 10.1.40
Low: Rewrite rule bypass CVE-2025-31651 For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This was fixed with...
Fixed in Apache Tomcat 7.0.12
Important: Information disclosure CVE-2011-1475 Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of respons...
Fixed in Apache Tomcat 3.2.2
Moderate: Cross site scripting CVE-2001-0829 The default 404 error page does not escape URLs. This allows XSS attacks using specially crafted URLs. Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1 Moderate: Information disclosure CVE-2001-0590 A specially crafted URL can be used to obtain the source for JSPs...
Fixed in Apache Tomcat 8.0.48
Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...