Lucene search
K
ApacheTomcat

261 matches found

CVE
CVE
added 2017/08/10 4:0 p.m.210 views

CVE-2016-0762

CVE-2016-0762 affects Apache Tomcat realms across multiple branches (Tomcat 9.0.x, 8.5.x, 8.0.x, 7.0.x, 6.0.x). The root cause: Realm implementations did not process the supplied password when the username did not exist, enabling a timing attack to determine valid usernames. The default LockOutRe...

5.9CVSS7.3AI score0.07991EPSS
CVE
CVE
added 2016/10/03 12:0 a.m.209 views

CVE-2016-1240

This CVE (CVE-2016-1240) affects the Tomcat init scripts in Debian/Ubuntu packages, allowing local users with Tomcat access to gain root via a symlink attack on the Catalina log file (e.g., /var/log/tomcat7/catalina.out). Affected packages and versions include: tomcat7 before 7.0.56-3+deb8u4 and ...

7.8CVSS7.5AI score0.09783EPSS
CVE
CVE
added 2014/05/31 10:0 a.m.205 views

CVE-2014-0075

Apache Tomcat exposes a vulnerability CVE-2014-0075: an integer overflow in parseChunkHeader() within ChunkedInputFilter.java allows remote attackers to trigger DoS via malformed chunk sizes in chunked transfer encoding. Affected products include Tomcat 6.x before 6.0.40, 7.x before 7.0.53, and 8...

5CVSS7.7AI score0.2006EPSS
CVE
CVE
added 2016/02/25 1:0 a.m.203 views

CVE-2016-0706

CVE-2016-0706 affects Apache Tomcat. Root cause: StatusManagerServlet not on RestrictedServlets.properties, enabling remote authenticated users to bypass SecurityManager and read arbitrary HTTP requests, potentially exposing session IDs. Affected versions include Tomcat 6.x before 6.0.45, 7.x bef...

4.3CVSS6.3AI score0.06232EPSS
CVE
CVE
added 2008/08/13 12:0 a.m.201 views

CVE-2008-2938

CVE-2008-2938 is a directory-traversal vulnerability in Apache Tomcat (affected: 4.1.0–4.1.37, 5.5.0–5.5.26, 6.0.0–6.0.16) that occurs when allowLinking and URIEncoding="UTF-8" are enabled. Exploitation could allow a remote attacker to read arbitrary server files via encoded traversal sequences i...

4.3CVSS7.5AI score0.99708EPSS
CVE
CVE
added 2007/10/15 6:0 p.m.200 views

CVE-2007-5461

CVE-2007-5461 is an absolute path traversal vulnerability in the Apache Tomcat WebDAV servlet. Affected versions span Tomcat 4.x, 5.x (including 5.0.x, 5.5.x up to 5.5.25) and 6.0.x (up to 6.0.14) under certain configurations, enabling remote authenticated users to read arbitrary files via a WebD...

3.5CVSS5.7AI score0.39681EPSS
CVE
CVE
added 2017/08/10 4:0 p.m.200 views

CVE-2016-6794

CVE-2016-6794 affects Apache Tomcat across multiple branches (7.x, 8.x, 9.x) and versions, where the system property replacement feature for configuration files can bypass a configured SecurityManager to read restricted system properties. Connected advisories show concrete impact and suggested fi...

5.3CVSS7AI score0.07152EPSS
CVE
CVE
added 2014/05/31 10:0 a.m.193 views

CVE-2014-0119

CVE-2014-0119 (Tomcat XXE) – Concrete details from connected docs : The vulnerability affects Apache Tomcat versions before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6. It arises from improper constraining of the class loader that accesses the XML parser used with an XSLT stylesheet, enabling...

4.3CVSS7.8AI score0.07616EPSS
CVE
CVE
added 2016/02/25 1:0 a.m.193 views

CVE-2015-5351

CVE-2015-5351 affects Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2. The issue lies in the Manager and Host Manager applications, which establish sessions and send CSRF tokens for arbitrary new requests, allowing remote attackers to bypass CSRF protections by using a...

8.8CVSS8.4AI score0.09212EPSS
CVE
CVE
added 2016/02/25 1:0 a.m.193 views

CVE-2016-0763

CVE-2016-0763 affects Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3. The issue is in ResourceLinkFactory.setGlobalContext: callers are not checked for authorization, allowing remote authenticated users to bypass SecurityManager restrictions and read/write arbitrary a...

6.5CVSS7.1AI score0.11297EPSS
CVE
CVE
added 2007/06/14 11:0 p.m.188 views

CVE-2007-2449

CVE-2007-2449 corresponds to cross-site scripting in Apache Tomcat's examples web application JSP files. Affected: Tomcat 4.0.0–4.0.6, 4.1.0–4.1.36, 5.0.0–5.0.30, 5.5.0–5.5.24, 6.0.0–6.0.13. Root cause: improper validation of user-supplied input in the JSP examples, allowing injected script via t...

4.3CVSS7.1AI score0.77376EPSS
Web
CVE
CVE
added 2014/01/19 4:0 p.m.188 views

CVE-2013-2185

CVE-2013-2185 involves DiskFileItem in Apache Commons FileUpload used with Red Hat JBoss EAP 6.1.0 and JBoss Portal 6.0.0. The issue stems from deserialization of a serialized DiskFileItem where a NULL byte in a filename can let a remote attacker write to arbitrary files. The description notes a ...

7.5CVSS8.2AI score0.07199EPSS
CVE
CVE
added 2017/04/17 4:0 p.m.188 views

CVE-2017-5651

CVE-2017-5651 concerns Apache Tomcat 9.0.0.M1–9.0.0.M18 and 8.5.0–8.5.12, where a refactoring of HTTP connectors caused a regression in the send-file processing. If processing completes quickly, the same Processor could be added to the processor cache twice, potentially using the same Processor f...

9.8CVSS9.1AI score0.07752EPSS
In wild
CVE
CVE
added 2017/08/11 2:0 a.m.184 views

CVE-2016-6796

CVE-2016-6796 affects Apache Tomcat across multiple lines: a malicious web application could bypass the SecurityManager by manipulating the configuration parameters for the JSP Servlet. Affected versions include Tomcat 9.0.0.M1–9.0.0.M9, 8.5.0–8.5.4, 8.0.0.RC1–8.0.36, 7.0.0–7.0.70, and 6.0.0–6.0....

7.5CVSS8.4AI score0.08321EPSS
CVE
CVE
added 2014/05/31 10:0 a.m.181 views

CVE-2014-0099

Apache Tomcat contains an integer overflow in Ascii.java that, when behind a reverse proxy, enables HTTP request smuggling via a crafted Content-Length header. Affected versions are Tomcat 6.0.x before 6.0.40, Tomcat 7.x before 7.0.53, and Tomcat 8.x before 8.0.4. The provided documents do not sp...

4.3CVSS7.8AI score0.08838EPSS
CVE
CVE
added 2011/08/31 11:0 p.m.180 views

CVE-2011-3190

CVE-2011-3190 refers to Apache Tomcat AJP connector handling vulnerabilities where certain implementations could spoof AJP requests and cause a request body to be interpreted as a new request, enabling authentication bypass and potential leakage of sensitive information. The description covers af...

7.5CVSS5.3AI score0.15226EPSS
CVE
CVE
added 2015/02/16 12:0 a.m.180 views

CVE-2014-0227

CVE-2014-0227 affects Apache Tomcat: ChunkedInputFilter mishandles reads after an error, enabling HTTP request smuggling or DoS via malformed chunked data. Affected: Tomcat 6.x before 6.0.42, 7.x before 7.0.55, 8.x before 8.0.9. Remediation: upgrade to fixed releases (6.0.42+, 7.0.55+, 8.0.9+). E...

6.4CVSS6.2AI score0.21045EPSS
CVE
CVE
added 2018/01/31 2:0 p.m.179 views

CVE-2017-15706

CVE-2017-15706 concerns Apache Tomcat: the CGI Servlet documentation for the CGI search algorithm was incorrect, causing some scripts to fail or be executed unexpectedly, while the servlet’s runtime behavior remained unchanged. Public sources in the connected docs confirm this is tied to the CGI ...

5.3CVSS5.7AI score0.06198EPSS
CVE
CVE
added 2017/08/11 2:0 a.m.174 views

CVE-2017-7675

The CVE-2017-7675 entry concerns Apache Tomcat, where the HTTP/2 implementation in Tomcat 9.0.0.M1–9.0.0.M21 and 8.5.0–8.5.15 bypassed security checks that prevented directory traversal via a specially crafted URL. This could bypass security constraints. The provided documents identify affected T...

7.5CVSS7.3AI score0.1014EPSS
CVE
CVE
added 2014/05/31 10:0 a.m.171 views

CVE-2014-0096

CVE-2014-0096 affects Apache Tomcat: DefaultServlet.jspXXE via XML External Entity in XSLT; tracked in Tomcat 6/7/8 lines (older than 6.0.40, 7.x < 7.0.53, 8.x

4.3CVSS7.8AI score0.06905EPSS
CVE
CVE
added 2017/08/10 10:0 p.m.169 views

CVE-2016-6817

CVE-2016-6817 affects the HTTP/2 header parser in Apache Tomcat 9.0.0.M1–M11 and 8.5.0–8.5.6, which can enter an infinite loop when a header exceeds the available buffer, enabling a denial-of-service. The connected documents specify remediation by upgrading to fixed releases: Tomcat 9.0.0.M13 or ...

7.5CVSS8AI score0.0719EPSS
CVE
CVE
added 2013/06/01 10:0 a.m.164 views

CVE-2013-2067

CVE-2013-2067 affects Apache Tomcat FormAuthenticator: in Tomcat 6.0.21–6.0.36 and 7.x before 7.0.33, the relationship between authentication requirements and sessions is mishandled, allowing a remote attacker to inject a request into a session during login completion (session fixation variant). ...

6.8CVSS5.9AI score0.07147EPSS
CVE
CVE
added 2009/11/12 11:0 p.m.162 views

CVE-2009-3548

CVE-2009-3548 affects the Windows installer for Apache Tomcat (versions 6.0.0–6.0.20 and 5.5.0–5.5.28, possibly earlier). The underlying issue is a blank default password for the administrative user, which can be exploited remotely to gain administrative privileges. The linked connected documents...

7.5CVSS7.8AI score0.78995EPSS
CVE
CVE
added 2008/02/12 12:0 a.m.161 views

CVE-2007-5333

Affected software: Apache Tomcat 4.1.0–4.1.36, 5.5.0–5.5.25, 6.0.0–6.0.14. The vulnerability (CVE-2007-5333) arises from improper handling of (1) double quote (" ) characters and (2) %5C-encoded backslash sequences in cookie values, which can leak session IDs and enable session hijacking. It exis...

5CVSS4.7AI score0.62575EPSS
CVE
CVE
added 2009/03/09 9:0 p.m.160 views

CVE-2009-0781

CVE-2009-0781 is an XSS vulnerability in Apache Tomcat’s calendar example (jsp/cal/cal2.jsp). The issue affects Tomcat 4.1.0–4.1.39, 5.5.0–5.5.27, and 6.0.0–6.0.18, allowing remote attackers to inject arbitrary script or HTML via the time parameter in the URL (described as related to invalid HTML...

4.3CVSS4.6AI score0.09125EPSS
Web
CVE
CVE
added 2010/04/23 2:0 p.m.156 views

CVE-2010-1157

CVE-2010-1157 affects Apache Tomcat 5.5.0–5.5.29 and 6.0.0–6.0.26. The vulnerability allows an attacker to disclose the server’s hostname or IP by sending a request for a resource that requires BASIC or DIGEST authentication and then reading the realm field in the WWW-Authenticate header. The pro...

2.6CVSS4.4AI score0.52507EPSS
Web
CVE
CVE
added 2000/09/21 4:0 a.m.155 views

CVE-2000-0760

Affected software: Jakarta Tomcat 3.0 and 3.1 under Apache. Vulnerability: The Snoop servlet exposes sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension, leading to information disclosure. Root cause / details: Information disclosure vulnerability ...

6.4CVSS6.3AI score0.62496EPSS
CVE
CVE
added 2009/06/05 3:25 p.m.155 views

CVE-2009-0783

CVE-2009-0783 affects multiple Apache Tomcat lines (4.1.0–4.1.39, 5.5.0–5.5.27, 6.0.0–6.0.18). The issue allows a local attacker to replace the XML parser used by web applications, enabling reading or modification of other applications’ files such as (1) web.xml, (2) context.xml, or (3) tld files...

4.6CVSS4.6AI score0.00809EPSS
CVE
CVE
added 2025/08/13 12:11 p.m.155 views

CVE-2025-48989

CVE-2025-48989 is an Apache Tomcat vulnerability: an Improper Resource Shutdown or Release issue that affects Tomcat 11.0.x (11.0.0-M1–11.0.9), 10.1.x (10.1.0-M1–10.1.43), and 9.0.x (9.0.0.M1–9.0.107). The root cause is improper release/shutdown handling, exposing high-severity impact (availabili...

7.5CVSS7.1AI score0.03389EPSS
CVE
CVE
added 2012/12/19 11:0 a.m.150 views

CVE-2012-4431

CVE-2012-4431 affects Apache Tomcat 6.x earlier than 6.0.36 and 7.x earlier than 7.0.32. The vulnerability resides in CsrfPreventionFilter, allowing remote attackers to bypass CSRF protection via a request that lacks a session identifier. The connected documents confirm the affected component pat...

4.3CVSS9.2AI score0.09146EPSS
CVE
CVE
added 2025/07/10 7:14 p.m.148 views

CVE-2025-53506

CVE-2025-53506 is an Uncontrolled Resource Consumption vulnerability in Apache Tomcat's HTTP/2 handling: if an HTTP/2 client does not acknowledge the initial settings frame, Tomcat may reduce the maximum permitted concurrent streams, enabling a DoS-like condition. Affected versions span Tomcat 11...

7.5CVSS7.8AI score0.01898EPSS
CVE
CVE
added 2008/08/04 1:0 a.m.143 views

CVE-2008-1232

CVE-2008-1232 is an XSS vulnerability in Apache Tomcat affecting versions 4.1.0–4.1.37, 5.5.0–5.5.26, and 6.0.0–6.0.16. The root cause is improper validation of user-supplied input used in the HttpServletResponse.sendError method, allowing remote attackers to inject arbitrary web script or HTML v...

4.3CVSS6.5AI score0.75865EPSS
CVE
CVE
added 2009/06/05 3:25 p.m.143 views

CVE-2009-0580

CVE-2009-0580 affects Apache Tomcat 4.1.0–4.1.39, 5.5.0–5.5.27, and 6.0.0–6.0.18 when FORM authentication is used. A remote attacker can enumerate valid usernames by sending requests to /j_security_check with malformed URL encoding of the password, due to improper error checking in the MemoryReal...

4.3CVSS4.9AI score0.9444EPSS
Web
CVE
CVE
added 2009/06/05 3:25 p.m.142 views

CVE-2009-0033

CVE-2009-0033 affects Apache Tomcat 4.1.0–4.1.39, 5.5.0–5.5.27, and 6.0.0–6.0.18 when using the Java AJP connector with mod_jk load balancing. A crafted request with invalid headers can cause a denial of service by temporarily blocking connectors that have encountered errors, as demonstrated by a...

5CVSS4.5AI score0.10053EPSS
Web
CVE
CVE
added 2012/01/14 9:0 p.m.141 views

CVE-2011-1184

The vulnerability CVE-2011-1184 affects Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12. The HTTP Digest Access Authentication implementation has insufficient replay-attack countermeasures due to lack of proper nonce and nc (nonce-count) checking, which can allow remot...

5CVSS4.8AI score0.0854EPSS
CVE
CVE
added 2012/11/17 7:0 p.m.139 views

CVE-2012-5887

The CVE-2012-5887 entry concerns the HTTP Digest Access Authentication in Apache Tomcat (versions 5.5.x before 5.5.36, 6.x before 6.0.36, 7.x before 7.0.30). The vulnerability is a failure to properly check stale nonce values when enforcing credentials, enabling remote attackers to bypass access ...

5CVSS6.5AI score0.12098EPSS
CVE
CVE
added 2012/01/05 7:0 p.m.137 views

CVE-2011-4858

CVE-2011-4858 affects Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23. The issue arises from the Java hashCode() implementation allowing predictable hash collisions, enabling a remote attacker to exhaust CPU by sending many crafted parameters in a request (hash collisi...

5CVSS4.4AI score0.80318EPSS
CVE
CVE
added 2009/06/16 8:26 p.m.136 views

CVE-2008-5515

The CVE-2008-5515 entry applies to Apache Tomcat 4.1.0–4.1.39, 5.5.0–5.5.27, and 6.0.0–6.0.18 (and possibly earlier) per the described vulnerability. Root cause: during RequestDispatcher usage, Tomcat normalizes the target pathname before filtering the query string, which can bypass access contro...

5CVSS4.8AI score0.18685EPSS
Web
CVE
CVE
added 2025/07/10 7:3 p.m.136 views

CVE-2025-52434

CVE-2025-52434 is a race-condition DoS in Apache Tomcat when using the APR/Native connector, observed in Tomcat 9.0.0.M1 through 9.0.106 (including older EOL lines) and potentially affecting selected Tomcat 8.x/11.x/10.x configurations via related advisories. The National Vulnerability Database d...

7.5CVSS9.5AI score0.01819EPSS
CVE
CVE
added 2008/08/04 1:0 a.m.134 views

CVE-2008-2370

CVE-2008-2370 affects Apache Tomcat 4.1.0–4.1.37, 5.5.0–5.5.26, and 6.0.0–6.0.16. When a RequestDispatcher is used, Tomcat performs path normalization before removing the query string, enabling remote attackers to read arbitrary files via a .. sequence in a request parameter (directory traversal)...

5CVSS7.3AI score0.52716EPSS
CVE
CVE
added 2012/01/19 2:0 a.m.134 views

CVE-2012-0022

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 are affected by a denial-of-service vulnerability caused by an inefficient handling of HTTP parameters that can be exploited by sending requests with many parameters. The root cause is a hash-collision vulnerability in pa...

5CVSS4.6AI score0.1086EPSS
CVE
CVE
added 2026/04/09 7:21 p.m.133 views

CVE-2026-29146

Summary of CVE-2026-29146 : The Padding Oracle flaw in Apache Tomcat’s EncryptInterceptor affects multiple Tomcat lines: 11.0.0-M1..11.0.18, 10.0.0-M1..10.1.52, 9.0.13..9.0.115, 8.5.38..8.5.100, and 7.0.100..7.0.109. Root cause: during a fix, EncryptInterceptor.messageReceived() was refactored so...

7.5CVSS5.8AI score0.0504EPSS
CVE
CVE
added 2006/07/25 12:0 a.m.131 views

CVE-2006-3835

CVE-2006-3835 affects Apache Tomcat 5 before 5.5.17. The vulnerability allows remote attackers to list directories by using a semicolon before a filename with a mapped extension, as shown by URLs like /;index.jsp or /;help.do. The initial description confirms the condition; related advisories (GH...

5CVSS7.3AI score0.45579EPSS
CVE
CVE
added 2013/06/01 10:0 a.m.131 views

CVE-2013-2071

CVE-2013-2071 affects Apache Tomcat 7.x prior to 7.0.40, where AsyncContextImpl.java may mishandle a RuntimeException thrown from an AsyncListener, potentially exposing elements of a previous request to a current one when a request is recorded by an application. The vulnerability is rooted in the...

2.6CVSS5.7AI score0.06501EPSS
CVE
CVE
added 2011/02/10 5:0 p.m.130 views

CVE-2010-3718

CVE-2010-3718 affects Apache Tomcat 7.0.0–7.0.3, 6.0.x, and 5.5.x when running under a SecurityManager. The vulnerability is that ServletContext attributes are not made read-only, allowing local web applications to read or write files outside the intended working directory via a directory travers...

1.2CVSS5.8AI score0.01353EPSS
CVE
CVE
added 2025/07/10 7:5 p.m.129 views

CVE-2025-52520

The CVE-2025-52520 entry describes an Integer Overflow DoS in Apache Tomcat triggered by certain multipart upload configurations. Affected branches include Tomcat 11.0.x (11.0.0-M1 to 11.0.8) and older 10.1.x (10.1.0-M1 to 10.1.42) and 9.0.x (9.0.0.M1 to 9.0.106); EOL versions may also be affecte...

7.5CVSS9.3AI score0.0196EPSS
CVE
CVE
added 2026/05/12 3:14 p.m.129 views

CVE-2026-41284

CVE-2026-41284 describes an unbounded read vulnerability in WebDAV LOCK and PROPFIND handling in Apache Tomcat. Affected ranges include Tomcat 11.0.0-M1–11.0.21, 10.1.0-M1–10.1.54, and 9.0.0.M1–9.0.117 (older, unsupported versions may also be affected). The issue is triggered by a resource alloca...

7.5CVSS5.7AI score0.0078EPSS
CVE
CVE
added 2010/01/28 8:0 p.m.128 views

CVE-2009-2693

Apache Tomcat contains a directory-traversal flaw (CVE-2009-2693) affecting Tomcat 5.5.0–5.5.28 and 6.0.0–6.0.20. An attacker can cause creation or overwrite of arbitrary files by including a .. path in a WAR entry, for example ../../bin/catalina.bat. The connected documents reiterate this exact ...

5.8CVSS5.1AI score0.09638EPSS
Web
CVE
CVE
added 2007/08/14 10:0 p.m.126 views

CVE-2007-3385

CVE-2007-3385 affects Apache Tomcat: multiple branches (6.0.x, 5.5.x, 4.1.x, 3.3.x) fail to sanitize the " character sequence and similar encoded sequences in cookie values, potentially leaking session IDs and enabling session hijacking. Affected versions include 6.0.0–6.0.14 (and 5.5.0–5.5.25, 4...

4.3CVSS5.3AI score0.16944EPSS
Web
CVE
CVE
added 2012/01/19 2:0 a.m.126 views

CVE-2011-3375

CVE-2011-3375 affects Apache Tomcat 6.0.30–6.0.33 and 7.x before 7.0.22. The root cause is improper caching/recycling of request objects, which can allow remote attackers to read IP addresses and HTTP header information by reading TCP data. The impact is information disclosure of request metadata...

5CVSS3.9AI score0.06694EPSS
Total number of security vulnerabilities261