Lucene search
K
ApacheTomcat

261 matches found

CVE
CVE
added 2012/12/19 11:0 a.m.126 views

CVE-2012-3546

CVE-2012-3546 affects Apache Tomcat 6.x (before 6.0.36) and 7.x (before 7.0.30). The flaw, in RealmBase/FormAuthenticator when FORM authentication is used, lets remote attackers bypass security-constraint checks by leveraging a prior setUserPrincipal() and appending /j_security_check to the URL. ...

4.3CVSS6.3AI score0.11975EPSS
CVE
CVE
added 2010/01/28 8:0 p.m.125 views

CVE-2009-2901

The CVE-2009-2901 entry describes an authentication bypass in Apache Tomcat when the autodeployment (autoDeploy) feature is enabled. Affected versions are Tomcat 5.5.0–5.5.28 and 6.0.0–6.0.20, where appBase files left from a failed undeploy can be deployed and used to bypass intended authenticati...

4.3CVSS5.7AI score0.08151EPSS
CVE
CVE
added 2010/07/13 5:0 p.m.125 views

CVE-2010-2227

CVE-2010-2227 : Apache Tomcat versions 5.5.0–5.5.29, 6.0.0–6.0.27, and 7.0.0 beta are affected by improper handling of an invalid Transfer-Encoding header, which can cause a denial of service (outage) or information leakage via a crafted header that interferes with recycling of a buffer. The conn...

6.4CVSS4.4AI score0.54779EPSS
Web
CVE
CVE
added 2025/06/16 2:22 p.m.122 views

CVE-2025-49124

CVE-2025-49124 : Untrusted Search Path in Apache Tomcat Windows installer. Tomcat’s Windows installer runs icacls.exe without a full path. Affected: Tomcat 11.0.0-M1–11.0.7, 10.1.0–10.1.41, 9.0.23–9.0.105 (plus some EOL versions). Mitigation: upgrade to 11.0.8, 10.1.42 or 9.0.106. CVSSv3.1 base s...

8.4CVSS7.3AI score0.00347EPSS
CVE
CVE
added 2010/11/26 7:0 p.m.121 views

CVE-2010-4172

CVE-2010-4172 affects Apache Tomcat 6.0.12–6.0.29 and 7.0.0–7.0.4, with multiple XSS vulnerabilities in the Tomcat Manager app (sessionsList.jsp via orderBy/sort, and input to sessionDetail.jsp or JspHelper.java) exploitable by remote attackers, related to untrusted web applications. The connecte...

4.3CVSS5.9AI score0.42009EPSS
Web
CVE
CVE
added 2017/04/17 4:0 p.m.121 views

CVE-2017-5650

CVE-2017-5650 affects Apache Tomcat 9.0.0.M1–M18 and 8.5.0–8.5.12. The HTTP/2 GOAWAY handling could fail to close streams waiting for a WINDOW_UPDATE, causing those streams to consume threads and enabling a malicious client to exhaust processing threads (DoS). There is no exploitation status in t...

7.5CVSS8.3AI score0.08275EPSS
In wild
CVE
CVE
added 2026/04/09 7:20 p.m.121 views

CVE-2026-29145

CVE-2026-29145 describes an authentication bypass in Apache Tomcat mutual TLS (CLIENT_CERT) when OCSP soft-fail is disabled. Affected are Tomcat 11.0.0-M1–11.0.18, 10.1.0-M7–10.1.52, and 9.0.83–9.0.115, plus Tomcat Native 1.1.23–1.1.34, 1.2.0–1.2.39, 1.3.0–1.3.6, and 2.0.0–2.0.13. With OCSP failu...

9.1CVSS5.8AI score0.00715EPSS
CVE
CVE
added 2007/05/09 10:0 p.m.120 views

CVE-2006-7196

Cross-site scripting (XSS) vulnerability in the calendar example (cal2.jsp) of Apache Tomcat affects 4.0.0–4.0.6, 4.1.0–4.1.31, 5.0.0–5.0.30, and 5.5.0–5.5.15. An attacker can inject arbitrary script via the time parameter to cal2.jsp (and possibly other vectors). This enables script execution in...

4.3CVSS5.5AI score0.72168EPSS
CVE
CVE
added 2008/06/04 7:17 p.m.120 views

CVE-2008-1947

CVE-2008-1947 is an XSS vulnerability in Apache Tomcat, affecting 5.5.9–5.5.26 and 6.0.0–6.0.16. It allows remote attackers to inject arbitrary web script or HTML via the name parameter (the hostname attribute) to host-manager/html/add. The connected documents confirm the affected product/version...

4.3CVSS6.6AI score0.09776EPSS
Web
CVE
CVE
added 2011/06/29 5:0 p.m.119 views

CVE-2011-2204

CVE-2011-2204 affects Apache Tomcat when MemoryUserDatabase logs password data on JMX user creation errors. Affected: Tomcat 5.5.x < 5.5.34, 6.x < 6.0.33, 7.x

1.9CVSS4.1AI score0.00668EPSS
CVE
CVE
added 2026/02/17 6:53 p.m.119 views

CVE-2026-24734

CVE-2026-24734 is an Improper Input Validation vulnerability affecting Apache Tomcat Native and Apache Tomcat itself. When using an OCSP responder, Tomcat Native (and the Tomcat Native FFM port) may not perform verification or freshness checks on OCSP responses, potentially allowing certificate r...

7.5CVSS5.4AI score0.00498EPSS
CVE
CVE
added 2007/05/09 10:0 p.m.118 views

CVE-2007-1358

CVE-2007-1358 is an XSS vulnerability affecting Apache Tomcat 4.x. It allows remote attackers to inject arbitrary script or HTML via crafted Accept-Language headers that do not conform to RFC 2616. Affected product ranges include Tomcat 4.0.0–4.0.6 and 4.1.0–4.1.34. The issue is triggered by impr...

2.6CVSS7.6AI score0.19889EPSS
CVE
CVE
added 2014/09/12 1:0 a.m.118 views

CVE-2013-4444

CVE-2013-4444 is an Unrestricted file upload vulnerability in Apache Tomcat 7.x, prior to 7.0.40, where outdated java.io.File handling and a custom JMX config allow remote attackers to upload and access a JSP file, enabling arbitrary code execution on the vulnerable Tomcat instance. Public detail...

6.8CVSS9AI score0.1399EPSS
CVE
CVE
added 2008/01/23 1:0 a.m.117 views

CVE-2008-0128

Apache Tomcat 5.x before 5.5.21 is affected by CVE-2008-0128: when the SingleSignOn valve is used over HTTPS, the JSESSIONIDSSO cookie is not marked secure, allowing it to be sent over HTTP and potentially captured by an attacker via a crafted HTTP request. This information is supported by multip...

5CVSS9AI score0.19622EPSS
CVE
CVE
added 2011/02/18 11:0 p.m.117 views

CVE-2011-0013

CVE-2011-0013 describes XSS in the HTML Manager Interface of Apache Tomcat: affected are Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6. The vulnerability allows remote attackers to inject arbitrary web script or HTML via the display-name tag. Mitigation is upgrading to the fix...

4.3CVSS5.9AI score0.10228EPSS
CVE
CVE
added 2014/02/26 11:0 a.m.117 views

CVE-2014-0033

CVE-2014-0033 affects Apache Tomcat 6.0.33–6.0.37, where the disableURLRewriting setting is not honored when a session ID is in a URL. This could allow remote attackers to hijack a valid user’s session via a crafted link. The vulnerability is documented in IBM advisories and the GHSA entry, which...

4.3CVSS8.1AI score0.09895EPSS
CVE
CVE
added 2010/01/28 8:0 p.m.116 views

CVE-2009-2902

CVE-2009-2902 is a directory traversal vulnerability in Apache Tomcat, affecting 5.5.0–5.5.28 and 6.0.0–6.0.20. The issue allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename (e.g., a crafted entry like ../../... in a WAR). The connected Nessu...

4.3CVSS5AI score0.1078EPSS
CVE
CVE
added 2026/06/29 8:41 p.m.116 views

CVE-2026-53434

CVE-2026-53434 affects Apache Tomcat when CRLs are configured for a FFM-based connector. The root cause is a failure to detect an error condition without action, potentially bypassing security checks. Affected versions include Tomcat 11.0.0-M1 through 11.0.22, 10.1.0-M7 through 10.1.55, and 9.0.8...

9.1CVSS5.7AI score0.00368EPSS
CVE
CVE
added 2007/08/14 10:0 p.m.115 views

CVE-2007-3382

The CVE-2007-3382 issue affects multiple Apache Tomcat releases (Tomcat 6.0.0–6.0.13, 5.5.0–5.5.24, 5.0.0–5.0.30, 4.1.0–4.1.36, 3.3–3.3.2). The root cause is that Tomcat treats the single quote (') as a delimiter in cookies, which can lead to leakage of sensitive data such as session IDs and enab...

4.3CVSS7.3AI score0.37497EPSS
CVE
CVE
added 2026/05/12 3:24 p.m.115 views

CVE-2026-43512

CVE-2026-43512 describes an authentication bypass in the Digest authenticator of Apache Tomcat. Affected are Tomcat 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, 8.5.0 to 8.5.100, and older/pre-7.0.0 versions. The issue is fixed in Tomcat 11.0.22, 10.1.55, and 9.0.118. Multiple...

9.8CVSS5.8AI score0.01233EPSS
Web
CVE
CVE
added 2007/08/14 10:0 p.m.112 views

CVE-2007-3386

CVE-2007-3386 is a cross-site scripting (XSS) vulnerability in the Host Manager Servlet of Apache Tomcat, affected in Tomcat 6.0.0–6.0.13 and 5.5.0–5.5.24. An attacker can inject arbitrary HTML/script by sending crafted requests, demonstrated via the aliases parameter to an html/add action. Conne...

4.3CVSS6.8AI score0.58956EPSS
Web
CVE
CVE
added 2009/04/09 3:0 p.m.112 views

CVE-2008-5519

The CVE refers to the mod_jk (JK Connector) for Apache Tomcat, affected in the 1.2.0–1.2.26 range. The root cause is an error in handling certain HTTP requests, enabling an attacker to obtain sensitive information via Content-Length-related scenarios (e.g., a request with Content-Length but no PO...

2.6CVSS5.6AI score0.07263EPSS
CVE
CVE
added 2007/06/14 11:0 p.m.111 views

CVE-2007-2450

CVE-2007-2450 refers to multiple cross-site scripting (XSS) vulnerabilities in the Manager and Host Manager web applications of Apache Tomcat. The description in the initial document states that remote authenticated users can inject arbitrary web script or HTML via a parameter name to /manager/ht...

3.5CVSS6.6AI score0.03291EPSS
Web
CVE
CVE
added 2012/11/17 7:0 p.m.111 views

CVE-2012-5885

Affected software: Apache Tomcat (5.5.x up to 5.5.36, 6.x up to 6.0.36, 7.x up to 7.0.30) using the HTTP Digest Access Authentication replay-countermeasure. Root cause: replay-countermeasure tracks cnonce values instead of server nonce and nonce-count, enabling bypass of access restrictions when ...

5CVSS6.7AI score0.0898EPSS
CVE
CVE
added 2007/12/27 10:0 p.m.110 views

CVE-2007-5342

CVE-2007-5342 affects Apache Tomcat versions 5.5.9–5.5.25 and 6.0.0–6.0.15 where the default catalina.policy for the JULI logging component fails to restrict permissions for web applications. The underly­ing issue is that untrusted web apps can modify logging configuration options and overwrite a...

6.4CVSS7.4AI score0.05156EPSS
CVE
CVE
added 2012/12/19 11:0 a.m.110 views

CVE-2012-4534

The CVE-2012-4534 issue affects Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28. When using the NIO connector with sendfile over HTTPS, the NioEndpoint can enter an infinite loop if the client terminates the connection while reading a response, causing a denial of service. The root cause is...

2.6CVSS8.9AI score0.07452EPSS
CVE
CVE
added 2007/05/21 8:0 p.m.108 views

CVE-2007-1355

CVE-2007-1355 corresponds to multiple cross-site scripting (XSS) vulnerabilities in the Tomcat sample web app (appdev/sample/web/hello.jsp). Affected are Tomcat versions 4.0.0–4.0.6, 4.1.0–4.1.36, 5.0.0–5.0.30, 5.5.0–5.5.23, and 6.0.0–6.0.10. The issue allows remote attackers to inject arbitrary ...

4.3CVSS8AI score0.58246EPSS
Web
CVE
CVE
added 2011/02/10 5:0 p.m.108 views

CVE-2011-0534

CVE-2011-0534 affects Apache Tomcat 7.0.0–7.0.6 and 6.0.0–6.0.30. The issue arises because maxHttpHeaderSize is not enforced for NIO HTTP connector requests, enabling remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request. Affected products are Tomcat 7/6 family as...

5CVSS5.7AI score0.07885EPSS
CVE
CVE
added 2010/08/05 6:0 p.m.107 views

CVE-2009-2696

Apache Tomcat contains a cross-site scripting (XSS) vulnerability in the calendar example (jsp/cal/cal2.jsp). A remote attacker can inject script via the time parameter due to improper validation of user input (related to invalid HTML). The issue is documented in a GitHub advisory (GHSA-J788-FX57...

4.3CVSS4.5AI score0.05012EPSS
Web
CVE
CVE
added 2011/07/14 11:0 p.m.107 views

CVE-2011-2526

CVE-2011-2526 affects Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19. When sendfile is enabled for the HTTP APR or HTTP NIO connector, Tomcat may not validate certain request attributes, allowing a local attacker to bypass file access restrictions or trigger a denial ...

4.4CVSS4.4AI score0.00699EPSS
CVE
CVE
added 2012/01/14 9:0 p.m.107 views

CVE-2011-5064

The vulnerability CVE-2011-5064 affects Apache Tomcat’s HTTP Digest Access Authentication (DigestAuthenticator.java) where Catalina is used as the hard-coded server secret (private key). Affected are Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12. This weakness enables remot...

4.3CVSS4.6AI score0.0657EPSS
CVE
CVE
added 2012/11/17 7:0 p.m.107 views

CVE-2012-5886

CVE-2012-5886 (Apache Tomcat) is an authentication bypass issue in the Digest Access Authentication implementation. It occurs because the HTTP Digest Auth stores information about the authenticated user in the session state, enabling remote attackers to bypass authentication by exploiting session...

5CVSS6.3AI score0.08768EPSS
CVE
CVE
added 2025/10/27 5:30 p.m.107 views

CVE-2025-61795

CVE-2025-61795 is an Apache Tomcat DoS due to improper resource shutdown: when processing multipart uploads, temporary parts on disk may not be cleaned promptly, allowing resource exhaustion. Affects Tomcat 11.x (11.0.0-M1–11.0.11), 10.x (10.1.0-M1–10.1.46), and 9.x (9.0.0.M1–9.0.109); EOL 8.5.x ...

5.3CVSS6.4AI score0.01139EPSS
CVE
CVE
added 2012/01/14 9:0 p.m.106 views

CVE-2011-5063

CVE-2011-5063 describes an issue in Apache Tomcat’s HTTP Digest Access Authentication where the realm values are not checked, enabling bypass of access controls by exploiting a protection space with weaker requirements (distinct from CVE-2011-1184). Related documents (CVE-2011-1184, CVE-2012-5885...

4.3CVSS4.9AI score0.06631EPSS
CVE
CVE
added 2007/05/09 10:0 p.m.105 views

CVE-2006-7195

CVE-2006-7195 is an XSS vulnerability in Apache Tomcat’s implicit-objects.jsp. The initial description states it affects Tomcat 5.0.0–5.0.30 and 5.5.0–5.5.17, allowing remote attackers to inject arbitrary scripts/HTML via certain HTTP header values. The connected documents confirm a Tomcat XSS is...

4.3CVSS5.4AI score0.05476EPSS
CVE
CVE
added 2026/06/29 8:36 p.m.105 views

CVE-2026-50229

CVE-2026-50229 describes an XSS flaw in the Apache Tomcat “number guess” example. Affected versions include Tomcat 11.0.0-M1–11.0.22, 10.1.0-M1–10.1.55, 9.0.0.M1–9.0.118, 8.5.0–8.5.100, and 7.0.0–7.0.109. The root cause is improper neutralization of script-related HTML tags in that example web pa...

6.1CVSS5.7AI score0.00423EPSS
CVE
CVE
added 2007/04/25 9:0 p.m.104 views

CVE-2005-4838

CVE-2005-4838 corresponds to cross-site scripting vulnerabilities in Apache Tomcat 5.5.6 and earlier, manifested in the JSP2 example pages (el/functions.jsp, el/implicit-objects.jsp, jspx/textRotate.jspx under examples/jsp2/), exploitable via a crafted request to snp/snoop.jsp. The issue is trigg...

4.3CVSS8.2AI score0.07883EPSS
Web
CVE
CVE
added 2008/02/12 12:0 a.m.103 views

CVE-2008-0002

CVE-2008-0002 affects Apache Tomcat 6.0.0–6.0.15 and relates to parameter processing during an exception. The issue may disclose sensitive information when parameters are processed in the context of the wrong request, demonstrated by disconnecting during processing to trigger the exception. This ...

5.8CVSS7.3AI score0.05057EPSS
CVE
CVE
added 2012/01/14 9:0 p.m.103 views

CVE-2011-5062

CVE-2011-5062 affects Apache Tomcat’s HTTP Digest Access Authentication. The vulnerability arises because Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 do not check qop values, enabling remote attackers to bypass intended integrity protections via a qop=auth value. This is ...

5CVSS4.6AI score0.07628EPSS
CVE
CVE
added 2026/06/29 8:47 p.m.102 views

CVE-2026-55957

CVE-2026-55957 describes an authentication bypass in Apache Tomcat when JNDIRealm is configured to authenticate binds using GSSAPI, allowing attackers to authenticate without the correct password. Affected releases include Tomcat 11.0.0-M1–11.0.4, 10.1.0-M1–10.1.36, 9.0.0.M1–9.0.100, 8.5.0–8.5.10...

7.3CVSS5.7AI score0.00462EPSS
CVE
CVE
added 2026/05/12 3:19 p.m.101 views

CVE-2026-41293

Summary: CVE-2026-41293 is an Apache Tomcat vulnerability described as an Improper Input Validation issue. The connected sources confirm impact across multiple Tomcat branches: 11.0.0-M1 to 11.0.21, 10.1.0-M1 to 10.1.54, 9.0.0.M1 to 9.0.117, and 10.0.0-M1 to 10.0.27. The CVSS 3.1 data indicates a...

9.8CVSS5.7AI score0.01339EPSS
CVE
CVE
added 2007/05/09 10:0 p.m.100 views

CVE-2005-4836

CVE-2005-4836 affects Apache Tomcat 4.1.15–4.1.40. The HTTP/1.1 connector may fail to reject NULL bytes in a URL when allowLinking is enabled, enabling a remote attacker to read JSP source files and obtain sensitive information. Multiple connected sources corroborate the same description and clas...

7.8CVSS6.3AI score0.03503EPSS
CVE
CVE
added 2011/03/14 7:0 p.m.100 views

CVE-2011-1088

CVE-2011-1088 affects Apache Tomcat 7.x prior to 7.0.10 (and related entries reference 7.0.11 in follow‑ups). The issue: Tomcat does not follow ServletSecurity annotations when a web.xml has no security constraints, allowing remote attackers to bypass the intended access restrictions via HTTP req...

5.8CVSS4.2AI score0.06453EPSS
CVE
CVE
added 2011/08/15 9:0 p.m.100 views

CVE-2011-2729

CVE-2011-2729 affects the Jakarta Commons Daemon jsvc component in Tomcat runtimes (Tomcat 5.5.32–5.5.33, 6.0.30–6.0.32, and 7.0.x before 7.0.20) where jsvc did not properly drop capabilities. This allows a remote attacker to bypass read permissions for files via an application request. The root ...

5CVSS4.1AI score0.07243EPSS
CVE
CVE
added 2012/11/16 9:0 p.m.100 views

CVE-2012-2733

CVE-2012-2733 involves Apache Tomcat’s HTTP NIO connector (java/org/apache/coyote/http11/InternalNioInputBuffer.java). The flaw does not properly restrict the request-header size in Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, allowing remote attackers to trigger memory consumption and cause a...

5CVSS8.7AI score0.08742EPSS
CVE
CVE
added 2017/03/23 4:0 p.m.100 views

CVE-2016-9774

The CVE-2016-9774 issue affects the postinst scripts of tomcat6, tomcat7, and tomcat8 across multiple Debian/Ubuntu releases (e.g., Debian wheezy, Ubuntu 12.04/14.04, Debian jessie, Ubuntu 16.04/16.10, and Ubuntu 17.04). The root cause is a symlink attack on the Catalina localhost directory durin...

7.8CVSS8AI score0.00747EPSS
CVE
CVE
added 2026/02/17 6:48 p.m.99 views

CVE-2025-66614

CVE-2025-66614 is an improper input validation issue in Apache Tomcat. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112, with older EOL versions (8.5.0–8.5.100) also listed as affected. The root cause is failure to verify...

9.1CVSS5.5AI score0.00235EPSS
CVE
CVE
added 2026/05/12 3:33 p.m.97 views

CVE-2026-43515

The CVE-2026-43515 issue is an Improper Authorization flaw in Apache Tomcat caused by multiple method constraints defining the HTTP method for the same extension. Affected versions include Tomcat 11.0.0-M1–11.0.21, 10.1.0-M1–10.1.54, 9.0.0.M1–9.0.117, 8.5.0–8.5.100, and 7.0.0–7.0.109. Mitigation ...

9.1CVSS5.8AI score0.01136EPSS
Web
CVE
CVE
added 2011/04/08 3:0 p.m.96 views

CVE-2011-1183

CVE-2011-1183 affects Apache Tomcat 7.0.11 and related 7.x releases where, if web.xml has no login configuration, security constraints are not followed. This allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. The issue is noted as a consequence ...

5.8CVSS4.3AI score0.06156EPSS
CVE
CVE
added 2026/06/29 8:46 p.m.96 views

CVE-2026-55956

CVE-2026-55956 is an improper authorization vulnerability in Apache Tomcat. The issue causes the security constraints configured for the default servlet to ignore certain methods or method omissions, potentially bypassing intended access controls. Affected product ranges include Tomcat versions 1...

6.5CVSS5.7AI score0.0041EPSS
Total number of security vulnerabilities261