Lucene search
K
TomcatRecent

345 matches found

Apache Tomcat
Apache Tomcat
added 2020/05/16 12:0 a.m.67 views

Fixed in Apache Tomcat 7.0.104

High: Remote Code Execution via session persistence CVE-2020-9484 If: an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with...

7CVSS7.8AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
added 2020/05/11 12:0 a.m.65 views

Fixed in Apache Tomcat 8.5.55

Important: Remote Code Execution via session persistence CVE-2020-9484 If: an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with...

7CVSS7.8AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
added 2020/05/11 12:0 a.m.65 views

Fixed in Apache Tomcat 10.0.0-M5

Important: Remote Code Execution via session persistence CVE-2020-9484 If: an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with...

7CVSS7.8AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
added 2020/05/11 12:0 a.m.128 views

Fixed in Apache Tomcat 9.0.35

Important: Remote Code Execution via session persistence CVE-2020-9484 If: an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with...

7CVSS7.8AI score0.56636EPSS
Exploits15Affected Software1
Apache Tomcat
Apache Tomcat
added 2020/02/14 12:0 a.m.169 views

Fixed in Apache Tomcat 7.0.100

High: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If suc...

9.8CVSS9AI score0.9927EPSS
Exploits45Affected Software1
Apache Tomcat
Apache Tomcat
added 2020/02/11 12:0 a.m.1067 views

Fixed in Apache Tomcat 9.0.31

Important: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. I...

9.8CVSS9AI score0.9927EPSS
Exploits45Affected Software1
Apache Tomcat
Apache Tomcat
added 2020/02/11 12:0 a.m.165 views

Fixed in Apache Tomcat 8.5.51

Important: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. I...

9.8CVSS9AI score0.9927EPSS
Exploits45Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/12/17 12:0 a.m.107 views

Fixed in Apache Tomcat 7.0.99

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...

7.5CVSS7.5AI score0.10687EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/12/12 12:0 a.m.76 views

Fixed in Apache Tomcat 8.5.50

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...

7.5CVSS7.7AI score0.10687EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/12/12 12:0 a.m.115 views

Fixed in Apache Tomcat 9.0.30

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...

7.5CVSS7.7AI score0.10687EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/11/21 12:0 a.m.122 views

Fixed in Apache Tomcat 9.0.29

Moderate: Local Privilege Escalation CVE-2019-12418 When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and...

7CVSS7.3AI score0.01221EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/11/21 12:0 a.m.75 views

Fixed in Apache Tomcat 8.5.49

Note: The issue below was fixed in Apache Tomcat 8.0.48 but the release vote for the 8.0.48 release candidate did not pass. Therefore, although users must download 8.0.49 to obtain a version that includes the fix for this issue, version 8.0.48 is not included in the list of affected versions...

7CVSS7.3AI score0.37618EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/06/07 12:0 a.m.100 views

Fixed in Apache Tomcat 9.0.21

Important: Request mix-up CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a...

8.6CVSS8.3AI score0.07538EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/05/13 12:0 a.m.65 views

Fixed in Apache Tomcat 8.5.41

Important: Denial of Service CVE-2019-10072 The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOWUPDATE messages for the connection window stream 0 clients were able to cause server-side threads to block eventually leading...

7.5CVSS6.9AI score0.72988EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/05/13 12:0 a.m.52 views

Fixed in Apache Tomcat 9.0.20

Important: Denial of Service CVE-2019-10072 The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOWUPDATE messages for the connection window stream 0 clients were able to cause server-side threads to block eventually leading...

7.5CVSS6.9AI score0.72988EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/04/13 12:0 a.m.289 views

Fixed in Apache Tomcat 9.0.19

Note: The issues below were fixed in Apache Tomcat 9.0.18 but the release vote for the 9.0.18 release candidate did not pass. Therefore, although users must download 9.0.19 to obtain a version that includes a fix for these issues, version 9.0.18 is not included in the list of affected versions...

9.3CVSS7.4AI score0.99652EPSS
Exploits12Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/04/12 12:0 a.m.209 views

Fixed in Apache Tomcat 7.0.94

Important: Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. For a...

9.3CVSS7.3AI score0.99652EPSS
Exploits12Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/04/12 12:0 a.m.429 views

Fixed in Apache Tomcat 8.5.40

Important: Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. For a...

9.3CVSS7.3AI score0.99652EPSS
Exploits12Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/02/08 12:0 a.m.82 views

Fixed in Apache Tomcat 8.5.38

Important: Denial of Service CVE-2019-0199 The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's...

7.5CVSS6.7AI score0.72855EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2019/02/08 12:0 a.m.65 views

Fixed in Apache Tomcat 9.0.16

Note: The issue below was fixed in Apache Tomcat 9.0.15 but the release vote for the 9.0.15 release candidate did not pass. Therefore, although users must download 9.0.16 to obtain a version that includes a fix for these issues, version 9.0.15 is not included in the list of affected versions...

7.5CVSS6.7AI score0.72855EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/10/31 12:0 a.m.46 views

Fixed in Apache Tomcat JK Connector 1.2.46

Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 but the release vote for the 1.2.45 release candidate did not pass. Therefore, although users must download 1.2.46 to obtain a version that includes the fix for this issue, version 1.2.45 is not included in the list of affected...

7.5CVSS6.6AI score0.90647EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/09/19 12:0 a.m.108 views

Fixed in Apache Tomcat 7.0.91

Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...

4.3CVSS5.2AI score0.94494EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/09/10 12:0 a.m.127 views

Fixed in Apache Tomcat 9.0.12

Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...

4.3CVSS5.2AI score0.94494EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/09/10 12:0 a.m.91 views

Fixed in Apache Tomcat 8.5.34

Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...

4.3CVSS5.2AI score0.94494EPSS
Exploits3Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/07/31 12:0 a.m.35 views

Fixed in Apache Tomcat Native Connector 1.2.17

Moderate: Mishandled OCSP invalid response CVE-2018-8019 When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates...

7.4CVSS7.2AI score0.04199EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/07/07 12:0 a.m.112 views

Fixed in Apache Tomcat 7.0.90

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833760. This issue was reported publicly on 11 June 2018 and formally announced as a...

7.5CVSS7.6AI score0.213EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/07/06 12:0 a.m.169 views

Fixed in Apache Tomcat 8.0.53

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833759. This issue was reported publicly on 11 June 2018 and formally announced as a...

9.8CVSS8.8AI score0.21979EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/06/26 12:0 a.m.108 views

Fixed in Apache Tomcat 8.5.32

Important: Information Disclosure CVE-2018-8037 If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present...

9.8CVSS7AI score0.21979EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/06/25 12:0 a.m.99 views

Fixed in Apache Tomcat 9.0.10

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833757. This issue was reported publicly on 11 June 2018 and formally announced as a...

7.5CVSS6.8AI score0.213EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/05/16 12:0 a.m.60 views

Fixed in Apache Tomcat 7.0.89

Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...

9.8CVSS8.7AI score0.21979EPSS
Exploits0
Apache Tomcat
Apache Tomcat
added 2018/05/16 12:0 a.m.55 views

Fixed in Apache Tomcat 7.0.88

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830376. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/05/16 12:0 a.m.85 views

Fixed in Apache Tomcat 9.0.9

Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...

9.8CVSS8.7AI score0.21979EPSS
Exploits0
Apache Tomcat
Apache Tomcat
added 2018/05/08 12:0 a.m.59 views

Fixed in Apache Tomcat 8.0.52

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830375. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/05/04 12:0 a.m.85 views

Fixed in Apache Tomcat 8.5.31

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830374. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/05/03 12:0 a.m.52 views

Fixed in Apache Tomcat 9.0.8

Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830373. This issue was reported publicly on 6...

7.5CVSS7.7AI score0.20599EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/03/12 12:0 a.m.40 views

Fixed in Apache Tomcat JK Connector 1.2.43

Important: Information disclosure CVE-2018-1323 The IIS/ISAPI specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a...

7.5CVSS7.5AI score0.44244EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/02/13 12:0 a.m.62 views

Fixed in Apache Tomcat 7.0.85

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

6.5CVSS6.8AI score0.17716EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/02/13 12:0 a.m.60 views

Fixed in Apache Tomcat 8.0.50

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

6.5CVSS6.8AI score0.17716EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/02/11 12:0 a.m.83 views

Fixed in Apache Tomcat 8.5.28

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

6.5CVSS6.8AI score0.17716EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/02/11 12:0 a.m.62 views

Fixed in Apache Tomcat 9.0.5

Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...

6.5CVSS6.8AI score0.17716EPSS
Exploits2Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/01/31 12:0 a.m.29 views

Fixed in Apache Tomcat Native Connector 1.2.16

Note: The issue below was fixed in Apache Tomcat Native Connector 1.2.15 but the release vote for the 1.2.15 release candidate did not pass. Therefore, although users must download 1.2.16 to obtain a version that includes the fix for this issue, version 1.2.15 is not included in the list of...

5.9CVSS5.8AI score0.03594EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2018/01/24 12:0 a.m.42 views

Fixed in Apache Tomcat 7.0.84

Low: Incorrectly documented CGI search algorithm CVE-2017-15706 Note: The issue below was fixed in Apache Tomcat 7.0.83 but the release vote for the 7.0.83 release candidate did not pass. Therefore, although users must download 7.0.84 to obtain a version that includes the fix for this issue,...

5.3CVSS5.7AI score0.06198EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/12/12 12:0 a.m.43 views

Fixed in Apache Tomcat 8.0.48

Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...

5.3CVSS5.7AI score0.06198EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/11/30 12:0 a.m.66 views

Fixed in Apache Tomcat 9.0.2

Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...

5.3CVSS5.7AI score0.06198EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/11/30 12:0 a.m.67 views

Fixed in Apache Tomcat 8.5.24

Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...

5.3CVSS5.7AI score0.06198EPSS
Exploits0Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/10/04 12:0 a.m.87 views

Fixed in Apache Tomcat 7.0.82

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

8.1CVSS8.4AI score0.99988EPSS
Exploits23Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/10/04 12:0 a.m.145 views

Fixed in Apache Tomcat 8.0.47

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

8.1CVSS8.4AI score0.99988EPSS
Exploits23Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/10/01 12:0 a.m.115 views

Fixed in Apache Tomcat 8.5.23

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

8.1CVSS8.4AI score0.99988EPSS
Exploits23Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/09/30 12:0 a.m.83 views

Fixed in Apache Tomcat 9.0.1

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

8.1CVSS8.4AI score0.99988EPSS
Exploits23Affected Software1
Apache Tomcat
Apache Tomcat
added 2017/08/16 12:0 a.m.72 views

Fixed in Apache Tomcat 7.0.81

Important: Information Disclosure CVE-2017-12616 When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. This was fixed in revision 1804729. This issue was...

8.1CVSS6.9AI score0.99607EPSS
Exploits19Affected Software1
Total number of security vulnerabilities345