345 matches found
Fixed in Apache Tomcat 5.5.24, 5.0.SVN
Moderate: Cross-site scripting CVE-2007-1355 The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided...
Fixed in Apache Tomcat 4.1.13, 4.0.6
Important: Information disclosure CVE-2002-1394 A specially crafted URL using the invoker servlet in conjunction with the default servlet can enable an attacker to obtain the source of JSP pages or, under special circumstances, a static resource that would otherwise have been protected by a...
Fixed in Apache Tomcat 10.1.9
Important: Information disclosure CVE-2023-34981 The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SENDHEADERS message would be sent which in turn meant that at least one AJP based proxy...
Fixed in Apache Tomcat 10.1.1
Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false not the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat wa...
Fixed in Apache Tomcat 10.0.20
Note: The issue below was fixed in Apache Tomcat 10.0.19 but the release vote for the 10.0.19 release candidate did not pass. Therefore, although users must download 10.0.20 to obtain a version that includes a fix for these issues, version 10.0.19 is not included in the list of affected versions...
Fixed in Apache Tomcat 7.0.84
Low: Incorrectly documented CGI search algorithm CVE-2017-15706 Note: The issue below was fixed in Apache Tomcat 7.0.83 but the release vote for the 7.0.83 release candidate did not pass. Therefore, although users must download 7.0.84 to obtain a version that includes the fix for this issue,...
Fixed in Apache Tomcat 8.0.8
Note: The issue below was fixed in Apache Tomcat 8.0.6 but the release votes for the 8.0.6 and 8.0.7 release candidates did not pass. Therefore, although users must download 8.0.8 to obtain a version that includes a fix for this issue, versions 8.0.6 and 8.0.7 are not included in the list of...
Fixed in Apache Tomcat 4.0.2
Low: Information disclosure CVE-2002-2009, CVE-2001-0917 Requests for JSP files where the file name is preceded by '+/', '/', '/' or '%20/' or a request for a JSP with a long file name would result in in an error page that included the full file system path to the JSP file. Affects: 4.0.0-4.0.1...
Fixed in Apache Tomcat 4.1.35
Low: Information disclosure CVE-2008-4308 Bug 40771 may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist, the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the...
Fixed in Apache Tomcat 4.1.3
Important: Denial of service CVE-2002-0935 A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive. Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6...
Fixed in Apache Tomcat 9.0.97
Important: XSS in generated JSPs CVE-2024-52318 The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not to escaped as expected. This unescaped output could lead to XSS. This was fixed with commit 9813c5dd. This issue was...
Fixed in Apache Tomcat 11.0.0-M21
Important: Denial of Service CVE-2024-34750 When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain...
Fixed in Apache Tomcat JK Connector 1.2.43
Important: Information disclosure CVE-2018-1323 The IIS/ISAPI specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a...
Fixed in Apache Tomcat 7.0.33
Important: Session fixation CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that...
Fixed in Apache Tomcat 7.0.14
Important: Security constraint bypass CVE-2011-1582 An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security constraints configured via annotations were ignored on the first request to a Servlet. Subsequent requests were secured correctly. This was fixed in revision 1100832. This...
Fixed in Apache Tomcat 10.1.0-M17
Low: Apache Tomcat XSS in examples web application CVE-2022-34305 The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. This was fixed with commit d6251d1c. This issue was reported to the Apache Tomcat Securit...
Fixed in Apache Tomcat 6.0.32
Note: The issue below was fixed in Apache Tomcat 6.0.31 but the release vote for the 6.0.31 release candidate did not pass. Therefore, although users must download 6.0.32 to obtain a version that includes a fix for this issue, version 6.0.31 is not included in the list of affected versions...
Fixed in Apache Tomcat 6.0.30
Low: Cross-site scripting CVE-2011-0013 The HTML Manager interface displayed web application provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administrative user when viewing the manager pages. This was fixed in revision...
Fixed in Apache Tomcat 4.1.0
Important: Denial of service CVE-2003-0866 A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive. Affects: 4.0.0-4.0.6 Low: Information...
Fixed in Apache Tomcat 11.0.2
Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337 The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 11.0.2 or later, users running Tomcat on a case insensitive file system with the...
Fixed in Apache Tomcat 10.1.0-M14
Note: The issue below was fixed in Apache Tomcat 10.1.0-M13 but the release vote for the 10.1.0-M13 release candidate did not pass. Therefore, although users must download 10.1.0-M14 to obtain a version that includes a fix for these issues, version 10.1.0-M13 is not included in the list of affect...
Fixed in Apache Tomcat JK Connector 1.2.42
Moderate: Buffer Overflow CVE-2016-6808 The IIS/ISAPI specific code implements special handling when a virtual host is present. The virtual host name and the URI are concatenated to create a virtual host mapping rule. The length checks prior to writing to the target buffer for this rule did not...
Fixed in Apache Tomcat 7.0.40
Moderate: Information disclosure CVE-2013-2071 Bug 54178 described a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw...
Fixed in Apache Tomcat JK Connector 1.2.27
Important: Information disclosure CVE-2008-5519 Situations where faulty clients set Content-Length without providing data, or where a user submits repeated requests very quickly, may permit one user to view the response associated with a different user's request. This was fixed in revision 702540...
Fixed in Apache Tomcat 3.3.1
Important: Denial of service CVE-2003-0045 JSP page names that match a Windows DOS device name, such as aux.jsp, may cause the thread processing the request to become unresponsive. A sequence of such requests may cause all request processing threads, and hence Tomcat, to become unresponsive...
Fixed in Apache Tomcat 10.1.31
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 146f94f8. This issue was identified by the Tomcat Security Team on 1 October 2024...
Fixed in Apache Tomcat 9.0.75
Important: Information disclosure CVE-2023-34981 The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SENDHEADERS message would be sent which in turn meant that at least one AJP based proxy...
Fixed in Apache Standard Taglib 1.2.3
Important: Information Disclosure CVE-2015-0254 Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity XXE attacks via a crafted XSLT extension in a JSTL XML tag. This issue was identified by the David Jorm of IIX and made public on 2...
Fixed in Apache Tomcat 3.2.4
Moderate: Information disclosure CVE-2001-1563 No specifics are provided in the vulnerability report. This may be a summary of other issues reported against 3.2.x Affects: 3.2?, 3.2.1, 3.2.2-3.2.3?...
Fixed in Apache Tomcat 8.5.84
Low: Apache Tomcat JsonErrorReportValve injection CVE-2022-45143 The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or...
Fixed in Apache Tomcat 8.0.0-RC3
Note: The issue below was fixed in Apache Tomcat 8.0.0-RC2 but the release vote for 8.0.0-RC2 did not pass. Therefore, although users must download 8.0.0-RC3 to obtain a version that includes a fix for this issue, version 8.0.0-RC2 is not included in the list of affected versions. Important:...
Fixed in Apache Tomcat 8.5.65
Important: Denial of Service CVE-2021-30639 An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future...
Fixed in Apache Tomcat Native Connector 1.2.17
Moderate: Mishandled OCSP invalid response CVE-2018-8019 When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates...
Fixed in Apache Tomcat JK Connector 1.2.21
Critical: Arbitrary code execution and denial of service CVE-2007-0774 An unsafe memory copy in the URI handler for the native JK connector could result in a stack overflow condition which could be leveraged to execute arbitrary code or crash the web server. Affects: JK 1.2.19-1.2.20 Source shipp...
Fixed in Apache Tomcat 3.3.2
Moderate: Cross site scripting CVE-2003-0044 The root web application and the examples web application contained a number a cross-site scripting vulnerabilities. Note that is it recommended that the examples web application is not installed on production servers. Affects: 3.0, 3.1-3.1.1, 3.2-3.2....
Fixed in Apache Tomcat 4.1.29
Moderate: Cross-site scripting CVE-2002-1567 The unmodified requested URL is included in the 404 response header. The new lines in this URL appear to the client to be the end of the header section. The remaining part of the URL, including the script elements, is treated as part of the response bo...
Fixed in Apache Tomcat 10.1.33
Note: The issue below was fixed in Apache Tomcat 10.1.32 but the release vote for the 10.1.32 release candidate did not pass. Therefore, although users must download 10.1.33 to obtain a version that includes a fix for these issues, version 10.1.32 is not included in the list of affected versions...
Fixed in Apache Tomcat 11.0.1
Important: XSS in generated JSPs CVE-2024-52318 The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not to escaped as expected. This unescaped output could lead to XSS. This was fixed with commit 8d1fc473. This issue was...
Fixed in Apache Tomcat 9.0.0.M17
Note: The issue below was fixed in Apache Tomcat 9.0.0.M16 but the release vote for the 9.0.0.M16 release candidate did not pass. Therefore, although users must download 9.0.0.M17 to obtain a version that includes the fix for this issue, version 9.0.0.M16 is not included in the list of affected...
Fixed in Apache Tomcat 11.0.0-M6
Important: Information disclosure CVE-2023-34981 The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SENDHEADERS message would be sent which in turn meant that at least one AJP based proxy...
Fixed in Apache Tomcat 5.5.1
Low: Information disclosure CVE-2008-3271 Bug 25835 can, in rare circumstances - this has only been reproduced using a debugger to force a particular processing sequence for two threads - allow a user from a non-permitted IP address to gain access to a context that is protected with a valve that...
Fixed in Apache Tomcat 3.2
Low: Information disclosure CVE-2000-0759 Requesting a JSP that does not exist results in an error page that includes the full file system page of the current context. Affects: 3.1 Important: Information disclosure CVE-2000-0672 Access to the admin context is not protected. This context allows an...
Fixed in Apache Tomcat 9.0.99
Important: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813 The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator...
Fixed in Apache Tomcat 10.1.34
Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337 The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 10.1.34 or later, users running Tomcat on a case insensitive file system with th...
Fixed in Apache Tomcat 11.0.0
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 9e840cca. This issue was identified by the Tomcat Security Team on 1 October 2024...
Fixed in Apache Tomcat JK Connector 1.2.41
Important: Information disclosure CVE-2014-8111 Multiple adjacent slashes in a request URI were not collapsed to a single slash before comparing the request URI to the configured mount and unmount patterns. It is therefore possible for an attacker to use a request URI containing multiple adjacent...
Fixed in Apache Tomcat 9.0.105
Low: CGI security constraint bypass CVE-2025-46701 When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL. This was...
Fixed in Apache Tomcat Native Connector 1.2.16
Note: The issue below was fixed in Apache Tomcat Native Connector 1.2.15 but the release vote for the 1.2.15 release candidate did not pass. Therefore, although users must download 1.2.16 to obtain a version that includes the fix for this issue, version 1.2.15 is not included in the list of...
Fixed in Apache Tomcat JK Connector 1.2.16
Important: Information disclosure CVE-2006-7197 The Tomcat AJP connector contained a bug that sometimes set a too long length for the chunks delivered by sendbodychunks AJP messages. Bugs of this type can cause modjk to read beyond buffer boundaries and thus reveal sensitive memory information to...
Fixed in Apache Tomcat 10.1.42
Moderate: Session fixation possible via rewrite valve CVE-2025-55668 If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's...