Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
ApacheTomcat

230 matches found

CVE
CVEadded 2004/09/01 4:0 a.m.59 views

CVE-2003-0043

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.

5CVSS6.3AI score0.02561EPSS
CVE
CVEadded 2011/03/14 7:55 p.m.59 views

CVE-2011-1419

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

5.8CVSS4.4AI score0.16103EPSS
CVE
CVEadded 2010/11/26 8:0 p.m.58 views

CVE-2010-4312

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

6.4CVSS4.4AI score0.01735EPSS
CVE
CVEadded 2001/12/06 5:0 a.m.57 views

CVE-2001-0829

A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.

5.1CVSS5.8AI score0.00731EPSS
CVE
CVEadded 2004/09/01 4:0 a.m.57 views

CVE-2002-1148

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.

5CVSS6.4AI score0.39379EPSS
CVE
CVEadded 2002/10/04 4:0 a.m.56 views

CVE-2002-0936

The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null).

5CVSS6.8AI score0.08273EPSS
CVE
CVEadded 2004/09/01 4:0 a.m.56 views

CVE-2003-0045

Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.

5CVSS6.6AI score0.0171EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.55 views

CVE-2002-2006

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.

5CVSS6.1AI score0.32359EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.55 views

CVE-2002-2007

The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or t...

5CVSS6.3AI score0.22609EPSS
CVE
CVEadded 2003/02/07 5:0 a.m.55 views

CVE-2003-0042

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

5CVSS6.5AI score0.55831EPSS
CVE
CVEadded 2005/05/02 4:0 a.m.54 views

CVE-2005-0808

Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.

5CVSS6.6AI score0.17541EPSS
CVE
CVEadded 2007/08/08 1:17 a.m.54 views

CVE-2007-3384

Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error messages.

4.3CVSS5.6AI score0.02821EPSS
CVE
CVEadded 2003/04/02 5:0 a.m.53 views

CVE-2000-1210

Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.

5CVSS6.5AI score0.03925EPSS
CVE
CVEadded 2005/10/06 10:2 a.m.53 views

CVE-2005-3164

The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsu...

2.6CVSS6AI score0.03388EPSS
CVE
CVEadded 2008/10/13 8:0 p.m.53 views

CVE-2008-3271

Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchro...

4.3CVSS5.9AI score0.043EPSS
CVE
CVEadded 2003/02/07 5:0 a.m.51 views

CVE-2003-0044

Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.

6.8CVSS5.7AI score0.27285EPSS
CVE
CVEadded 2007/09/05 7:17 p.m.51 views

CVE-2007-4724

Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters.

4.3CVSS6.9AI score0.00682EPSS
CVE
CVEadded 2025/06/16 3:15 p.m.51 views

CVE-2025-49124

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105...

8.4CVSS6.5AI score0.0002EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.46 views

CVE-2002-2008

Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message.

5CVSS6.4AI score0.07149EPSS
CVE
CVEadded 2000/10/20 4:0 a.m.45 views

CVE-2000-0759

Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.

6.4CVSS6.1AI score0.39817EPSS
CVE
CVEadded 2003/04/02 5:0 a.m.44 views

CVE-2002-0935

Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.

5CVSS6.7AI score0.02448EPSS
CVE
CVEadded 2006/02/01 8:0 p.m.43 views

CVE-2005-4703

Apache Tomcat 4.0.3, when running on Windows, allows remote attackers to obtain sensitive information via a request for a file that contains an MS-DOS device name such as lpt9, which leaks the pathname in an error message, as demonstrated by lpt9.xtp using Nikto.

5CVSS6.1AI score0.18347EPSS
CVE
CVEadded 2011/11/11 9:55 p.m.43 views

CVE-2011-3376

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

4.4CVSS6.4AI score0.00299EPSS
CVE
CVEadded 2002/06/25 4:0 a.m.42 views

CVE-2001-0917

Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension.

5CVSS6.2AI score0.02962EPSS
CVE
CVEadded 2005/06/28 4:0 a.m.42 views

CVE-2002-1895

The servlet engine in Jakarta Apache Tomcat 3.3 and 4.0.4, when using IIS and the ajp1.3 connector, allows remote attackers to cause a denial of service (crash) via a large number of HTTP GET requests for an MS-DOS device such as AUX, LPT1, CON, or PRN.

5CVSS7.1AI score0.02785EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.41 views

CVE-2001-1563

Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 allows attackers to access servlet resources. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this issue is already covered by other CVE identifiers.

7.5CVSS6.5AI score0.0498EPSS
CVE
CVEadded 2005/07/14 4:0 a.m.37 views

CVE-2002-2009

Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3)

5CVSS6.7AI score0.0278EPSS
CVE
CVEadded 2025/07/10 7:15 p.m.20 views

CVE-2025-52434

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

7.5CVSS6.6AI score0.00078EPSS
CVE
CVEadded 2025/07/10 8:15 p.m.20 views

CVE-2025-53506

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 t...

7.5CVSS6.5AI score0.00052EPSS
CVE
CVEadded 2025/07/10 7:15 p.m.19 views

CVE-2025-52520

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recomm...

7.5CVSS6.5AI score0.00052EPSS
Total number of security vulnerabilities230