CVE-2018-8019

CVE-2018-8019 affects OCSP handling in Apache Tomcat Native. Affects Tomcat Native versions 1.2.0–1.2.16 and 1.1.23–1.1.34 where invalid OCSP responses could cause revoked client certificates to be accepted during mutual TLS authentication. Public details indicate vulnerability in OCSP response p...

CVE-2018-8020

CVE-2018-8020 affects Apache Tomcat Native 1.2.0–1.2.16 and 1.1.23–1.1.34. The flaw: OCSP pre-produced responses are not properly checked, so revoked client certificates may not be identified in mutual-TLS connections. This vulnerability is explicitly tied to OCSP checking; systems not using OCSP...

CVE-2017-15698

CVE-2017-15698 affects the Apache Tomcat Native Connector (tomcat-native library). It arises from improper handling of AIA-Extension fields longer than 127 bytes, causing the OCSP check to be skipped and potentially allowing invalid client certificates to be accepted. Confirmed fixes appear in up...

CVE-2026-24734

CVE-2026-24734 is an Improper Input Validation vulnerability affecting Apache Tomcat Native and Apache Tomcat itself. When using an OCSP responder, Tomcat Native (and the Tomcat Native FFM port) may not perform verification or freshness checks on OCSP responses, potentially allowing certificate r...

CVE-2026-29145

CVE-2026-29145 describes an authentication bypass in Apache Tomcat mutual TLS (CLIENT_CERT) when OCSP soft-fail is disabled. Affected are Tomcat 11.0.0-M1–11.0.18, 10.1.0-M7–10.1.52, and 9.0.83–9.0.115, plus Tomcat Native 1.1.23–1.1.34, 1.2.0–1.2.39, 1.3.0–1.3.6, and 2.0.0–2.0.13. With OCSP failu...