Lucene search
K
TomcatMost viewed

345 matches found

Apache Tomcat
Apache Tomcat
•added 2017/01/24 12:0 a.m.•51 views

Fixed in Apache Tomcat 8.0.41

Note: The issue below was fixed in Apache Tomcat 8.0.40 but the release vote for the 8.0.40 release candidate did not pass. Therefore, although users must download 8.0.41 to obtain a version that includes the fix for this issue, version 8.0.40 is not included in the list of affected versions...

7.5CVSS7.6AI score0.16038EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2015/12/06 12:0 a.m.•51 views

Fixed in Apache Tomcat 8.0.30

Low: Directory disclosure CVE-2015-5345 When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was...

5.3CVSS7.1AI score0.1838EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2015/10/19 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.65

Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager. When accessing resources via the ServletContext methods getResource getResourceAsStream and getResourcePaths the paths should be limited to the current web...

4.3CVSS6.7AI score0.12555EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2013/10/24 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.47

Note: The issue below was fixed in Apache Tomcat 7.0.43 but the release votes for 7.0.43 to 7.0.46 did not pass. Therefore, although users must download 7.0.47 to obtain a version that includes a fix for this issue, versions 7.0.43 to 7.0.46 are not included in the list of affected versions...

6.3AI score
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/10/01 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.22

Important: Information disclosure CVE-2011-3375 For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed t...

5CVSS4.5AI score0.06694EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/08/11 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.20

Important: Information disclosure CVE-2011-2729 Due to a bug in the capabilities code, jsvc the service wrapper for Linux that is part of the Commons Daemon project does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only occu...

5CVSS4AI score0.07243EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/02/05 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.8

Note: The issue below was fixed in Apache Tomcat 7.0.7 but the release vote for the 7.0.7 release candidate did not pass. Therefore, although users must download 7.0.8 to obtain a version that includes a fix for this issue, version 7.0.7 is not included in the list of affected versions. Important...

5CVSS5.4AI score0.07885EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/01/14 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.6

Low: Cross-site scripting CVE-2011-0013 The HTML Manager interface displayed web application provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administrative user when viewing the manager pages. This was fixed in revision...

4.3CVSS5.4AI score0.10228EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2010/12/01 12:0 a.m.•51 views

Fixed in Apache Tomcat 7.0.5

Low: Cross-site scripting CVE-2010-4172 The Manager application used the user provided parameters sort and orderBy directly without filtering thereby permitting cross-site scripting. The CSRF protection, which is enabled by default, prevents an attacker from exploiting this. This was fixed in...

4.3CVSS5AI score0.42009EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/05/18 12:0 a.m.•51 views

Fixed in Apache Tomcat JK Connector 1.2.23

Important: Information disclosure CVE-2007-1860 The issue is related to CVE-2007-0450, the patch for which was insufficient. When multiple components firewalls, caches, proxies and Tomcat process a request, the request URL should not get decoded multiple times in an iterative way by these...

5CVSS6AI score0.12924EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2024/02/19 12:0 a.m.•50 views

Fixed in Apache Tomcat 11.0.0-M17

Important: Denial of Service CVE-2024-23672 It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. This was fixed with commit b0e3b1bd. This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made publi...

7.5CVSS7.1AI score0.23072EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2015/10/01 12:0 a.m.•50 views

Fixed in Apache Tomcat 8.0.27

Low: Limited directory traversal CVE-2015-5174 This issue only affects users running untrusted web applications under a security manager. When accessing resources via the ServletContext methods getResource getResourceAsStream and getResourcePaths the paths should be limited to the current web...

4.3CVSS6.7AI score0.12555EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/03/27 12:0 a.m.•50 views

Fixed in Apache Tomcat 8.0.5

Note: The issues below were fixed in Apache Tomcat 8.0.4 but the release vote for the 8.0.4 release candidate did not pass. Therefore, although users must download 8.0.5 to obtain a version that includes fixes for these issues, version 8.0.4 is not included in the list of affected versions...

5CVSS8.4AI score0.2006EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2010/07/09 12:0 a.m.•50 views

Fixed in Apache Tomcat 6.0.28

Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227 Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail...

6.4CVSS5.6AI score0.54779EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2005/11/04 12:0 a.m.•50 views

Fixed in Apache Tomcat 5.5.13, 5.0.SVN

Low: Directory listing CVE-2006-3835 This is expected behaviour when directory listings are enabled. The semicolon ; is the separator for path parameters so inserting one before a file name changes the request into a request for a directory with a path parameter. If directory listings are enabled...

5CVSS7.3AI score0.45579EPSS
Exploits8Affected Software1
Apache Tomcat
Apache Tomcat
•added 2023/08/25 12:0 a.m.•49 views

Fixed in Apache Tomcat 11.0.0-M11

Moderate: Open redirect CVE-2023-41080 If the ROOT default web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. This was fixed with commit e3703c9a. This issue was reported ...

7.5CVSS7.2AI score0.05972EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/10/10 12:0 a.m.•49 views

Fixed in Apache Tomcat 10.0.27

Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false not the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat wa...

7.5CVSS7.5AI score0.01448EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2020/09/14 12:0 a.m.•49 views

Fixed in Apache Tomcat 10.0.0-M8

Moderate: HTTP/2 request mix-up CVE-2020-13943 If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2 protocol, it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo...

4.3CVSS4.9AI score0.57286EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/01/24 12:0 a.m.•49 views

Fixed in Apache Tomcat 7.0.75

Important: Information Disclosure CVE-2016-8745 Note: The issue below was fixed in Apache Tomcat 7.0.74 but the release vote for the 7.0.74 release candidate did not pass. Therefore, although users must download 7.0.75 to obtain a version that includes the fix for this issue, version 7.0.74 is no...

7.5CVSS7.6AI score0.16038EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2015/12/10 12:0 a.m.•49 views

Fixed in Apache Tomcat 7.0.67

Note: The issue below was fixed in Apache Tomcat 7.0.66 but the release vote for the 7.0.66 release candidate did not pass. Therefore, although users must download 7.0.67 to obtain a version that includes a fix for this issue, version 7.0.66 is not included in the list of affected versions. Low:...

8.1CVSS7AI score0.10573EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/03/11 12:0 a.m.•49 views

Fixed in Apache Tomcat 7.0.11

Important: Security constraint bypass CVE-2011-1088 When a web application was started, ServletSecurity annotations were ignored. This meant that some areas of the application may not have been protected as expected. This was partially fixed in Apache Tomcat 7.0.10 and fully fixed in 7.0.11. This...

5.8CVSS4.2AI score0.06453EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2024/10/09 12:0 a.m.•48 views

Fixed in Apache Tomcat 9.0.96

Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 47307ee2. This issue was identified by the Tomcat Security Team on 1 October 2024...

9.8CVSS7.9AI score0.06287EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/01/08 12:0 a.m.•48 views

Fixed in Apache Tomcat 7.0.50

Note: The issues below were fixed in Apache Tomcat 7.0.48 but the release votes for 7.0.48 to 7.0.49 did not pass. Therefore, although users must download 7.0.50 to obtain a version that includes fixes for these issues, versions 7.0.48 to 7.0.49 are not included in the list of affected versions...

5CVSS8.3AI score0.11001EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2013/12/26 12:0 a.m.•48 views

Fixed in Apache Tomcat 8.0.0-RC10

Note: The issue below was fixed in Apache Tomcat 8.0.0-RC6 but the release votes for 8.0.0-RC6 to 8.0.0-RC9 did not pass. Therefore, although users must download 8.0.0-RC10 to obtain a version that includes a fix for this issue, versions 8.0.0-RC6 to 8.0.0-RC9 are not included in the list of...

8.2AI score
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2013/05/03 12:0 a.m.•48 views

Fixed in Apache Tomcat 6.0.37

Important: Session fixation CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that...

6.8CVSS6.2AI score0.11001EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/03/14 12:0 a.m.•48 views

Fixed in Apache Tomcat 5.5.22, 5.0.SVN

Important: Directory traversal CVE-2007-0450 The fix for this issue was insufficient. A fix was also required in the JK connector module for httpd. See CVE-2007-1860 for further information. Tomcat permits '', '%2F' and '%5C' as path delimiters. When Tomcat is used behind a proxy including, but...

5CVSS6.1AI score0.90768EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/10/01 12:0 a.m.•47 views

Fixed in Apache Tomcat 10.1.0-M6

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

7.5CVSS6.8AI score0.10997EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/06/15 12:0 a.m.•47 views

Fixed in Apache Tomcat 10.0.7

Important: Request Smuggling CVE-2021-33037 Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility of request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header i...

5.3CVSS6AI score0.75353EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/03/10 12:0 a.m.•47 views

Fixed in Apache Tomcat 10.0.4

Note: The issue below was fixed in Apache Tomcat 10.0.3 but the release vote for the 10.0.3 release candidate did not pass. Therefore, although users must download 10.0.4 to obtain a version that includes a fix for these issues, version 10.0.3 is not included in the list of affected versions...

7.5CVSS7.4AI score0.06687EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/05/22 12:0 a.m.•47 views

Fixed in Apache Tomcat 7.0.54

Low: Information Disclosure CVE-2014-0119 In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors TLDs and tag plugin configuration files. The injected XML...

4.3CVSS8AI score0.07616EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2009/06/08 12:0 a.m.•47 views

Fixed in Apache Tomcat 4.1.40

Important: Information Disclosure CVE-2008-5515 When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be...

5CVSS5.4AI score0.9444EPSS
Exploits8Affected Software1
Apache Tomcat
Apache Tomcat
•added 2008/01/21 12:0 a.m.•47 views

Fixed in Apache Tomcat 5.5.21

Moderate: Session hi-jacking CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server. Affects:...

5CVSS7.5AI score0.19622EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2006/12/18 12:0 a.m.•47 views

Fixed in Apache Tomcat 6.0.6

Low: Cross-site scripting CVE-2007-1358 Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. Under normal circumstances this would not be possible to exploi...

2.6CVSS8.6AI score0.19889EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2022/11/14 12:0 a.m.•46 views

Fixed in Apache Tomcat 10.1.2

Low: Apache Tomcat JsonErrorReportValve injection CVE-2022-45143 The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or...

7.5CVSS7.5AI score0.02505EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2018/10/31 12:0 a.m.•46 views

Fixed in Apache Tomcat JK Connector 1.2.46

Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 but the release vote for the 1.2.45 release candidate did not pass. Therefore, although users must download 1.2.46 to obtain a version that includes the fix for this issue, version 1.2.45 is not included in the list of affected...

7.5CVSS6.6AI score0.90647EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2012/10/09 12:0 a.m.•46 views

Fixed in Apache Tomcat 7.0.32

Important: Bypass of CSRF prevention filter CVE-2012-4431 The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. This was fixed in revision 1393088. This issue was identified by the Tomcat security team on 8...

4.3CVSS9.4AI score0.09146EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2007/05/09 12:0 a.m.•46 views

Fixed in Apache Tomcat 5.5.18, 5.0.SVN

Moderate: Cross-site scripting CVE-2006-7195 The implicit-objects.jsp in the examples webapp displayed a number of unfiltered header values. This enabled a XSS attack. These values are now filtered. Affects: 5.0.0-5.0.30, 5.5.0-5.5.17...

4.3CVSS5.2AI score0.05476EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2005/01/03 12:0 a.m.•46 views

Fixed in Apache Tomcat 5.5.7, 5.0.SVN

Low: Cross-site scripting CVE-2005-4838 Various JSPs included as part of the JSP examples and the Tomcat Manager are susceptible to a cross-site scripting attack as they do not escape user provided data before including it in the returned page. Affects: 5.0.0-5.0.30, 5.5.0-5.5.6...

4.3CVSS7.4AI score0.07883EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2002/09/24 12:0 a.m.•46 views

Fixed in Apache Tomcat 4.1.12, 4.0.5

Important: Information disclosure CVE-2002-1148 A specially crafted URL using the default servlet can enable an attacker to obtain the source of JSP pages. Affects: 4.0.0-4.0.4, 4.1.0-4.1.11...

5CVSS5.9AI score0.1682EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2021/10/01 12:0 a.m.•45 views

Fixed in Apache Tomcat 10.0.12

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

7.5CVSS6.8AI score0.10997EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/01/16 12:0 a.m.•45 views

Fixed in Apache Tomcat 8.5.11

Note: The issue below was fixed in Apache Tomcat 8.5.10 but the release vote for the 8.5.10 release candidate did not pass. Therefore, although users must download 8.5.11 to obtain a version that includes the fix for this issue, version 8.5.10 is not included in the list of affected versions...

7.5CVSS7.1AI score0.07179EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2014/06/24 12:0 a.m.•45 views

Fixed in Apache Tomcat 8.0.9

Important: Request Smuggling CVE-2014-0227 It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request. This was fixed in revisions 1600984, 1601329, 1601330 and 1601332. This issue was identified by the Tomcat...

7.8CVSS6AI score0.21045EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2010/10/21 12:0 a.m.•45 views

Fixed in Apache Tomcat 7.0.4

Low: SecurityManager file permission bypass CVE-2010-3718 When running under a SecurityManager, access to the file system is limited but web applications are granted read/write permissions to the work directory. This directory is used for a variety of temporary files such as the intermediate file...

1.2CVSS5.3AI score0.01353EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2010/08/11 12:0 a.m.•45 views

Fixed in Apache Tomcat 7.0.2

Note: The issue below was fixed in Apache Tomcat 7.0.1 but the release vote for the 7.0.1 release candidate did not pass. Therefore, although users must download 7.0.2 to obtain a version that includes a fix for this issue, version 7.0.2 is not included in the list of affected versions. Important...

6.4CVSS4.3AI score0.54779EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2003/01/25 12:0 a.m.•45 views

Fixed in Apache Tomcat 3.3.1a

Important: Information disclosure CVE-2003-0043 When used with JDK 1.3.1 or earlier, web.xml files were read with trusted privileges enabling files outside of the web application to be read even when running under a security manager. Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1 Important:...

5CVSS6AI score0.46035EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2025/06/10 12:0 a.m.•44 views

Fixed in Apache Tomcat 9.0.106

Moderate: Session fixation possible via rewrite valve CVE-2025-55668 If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's...

8.4CVSS6.8AI score0.63258EPSS
Exploits1Affected Software1
Apache Tomcat
Apache Tomcat
•added 2025/04/08 12:0 a.m.•44 views

Fixed in Apache Tomcat 10.1.40

Low: Rewrite rule bypass CVE-2025-31651 For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This was fixed with...

9.8CVSS7.3AI score0.66933EPSS
Exploits6Affected Software1
Apache Tomcat
Apache Tomcat
•added 2011/04/06 12:0 a.m.•44 views

Fixed in Apache Tomcat 7.0.12

Important: Information disclosure CVE-2011-1475 Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of respons...

5.8CVSS5.3AI score0.0869EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
•added 2001/04/03 12:0 a.m.•44 views

Fixed in Apache Tomcat 3.2.2

Moderate: Cross site scripting CVE-2001-0829 The default 404 error page does not escape URLs. This allows XSS attacks using specially crafted URLs. Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1 Moderate: Information disclosure CVE-2001-0590 A specially crafted URL can be used to obtain the source for JSPs...

5.1CVSS5.2AI score0.1382EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
•added 2017/12/12 12:0 a.m.•43 views

Fixed in Apache Tomcat 8.0.48

Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...

5.3CVSS5.7AI score0.06198EPSS
Exploits0Affected Software1
Total number of security vulnerabilities345