Lucene search
K
ApacheTomcat

261 matches found

CVE
CVE
added 2001/01/22 5:0 a.m.94 views

CVE-2000-0672

The CVE-2000-0672 issue concerns the default configuration of Jakarta Tomcat which does not restrict access to the /admin context, enabling a remote attacker to read arbitrary files by invoking administrative servlets to add a context for the root directory. The vulnerability affects the admin co...

5CVSS6.8AI score0.09846EPSS
CVE
CVE
added 2005/11/06 11:0 a.m.92 views

CVE-2005-3510

CVE-2005-3510 affects Apache Tomcat 5.5.0–5.5.11, allowing a DoS via a huge number of simultaneous directory-list requests, causing CPU exhaustion. The Red Hat advisory RHSA-2010:0602 notes remediation by upgrading the Tomcat component in Red Hat Certificate System to version 5.5.23. Other OSV en...

5CVSS6.2AI score0.05954EPSS
CVE
CVE
added 2011/08/15 9:0 p.m.91 views

CVE-2011-2481

CVE-2011-2481 affects Apache Tomcat 7.0.x prior to 7.0.17. A crafted application loaded earlier than the target can replace the XML parser used by other web applications, allowing local users to read or modify (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications. This vuln...

4.6CVSS4.3AI score0.0084EPSS
CVE
CVE
added 2017/03/23 4:0 p.m.91 views

CVE-2016-9775

The CVE-2016-9775 entry concerns the postrm script in the tomcat6, tomcat7, and tomcat8 packages across Debian/Ubuntu releases, where a misconfigured setgid program in the Catalina directory could allow local users with tomcat access to gain root privileges. Specifically, vulnerable versions incl...

7.8CVSS8.2AI score0.00742EPSS
CVE
CVE
added 2017/03/14 9:2 a.m.90 views

CVE-2016-8747

The CVE-2016-8747 issue affects Apache Tomcat 8.5.7–8.5.9 and 9.0.0.M11–9.0.0.M15 in reverse-proxy configurations, where Http11InputBuffer.java can let a remote attacker read data belonging to a different request. The underlying problem is an information-disclosure vulnerability in the Tomcat rev...

7.5CVSS7AI score0.07179EPSS
CVE
CVE
added 2014/05/31 10:0 a.m.88 views

CVE-2014-0095

CVE-2014-0095 affects Apache Tomcat 8.x, where AbstractAjpProcessor.java improperly handles a Content-Length: 0 AJP request, allowing remote attackers to trigger a denial of service by hanging request processing and consuming threads. Affected version range is Tomcat 8.x prior to 8.0.4. Mitigatio...

5CVSS7AI score0.08494EPSS
CVE
CVE
added 2011/04/08 3:0 p.m.87 views

CVE-2011-1475

CVE-2011-1475 affects Apache Tomcat 7.0.x prior to 7.0.12. The HTTP BIO connector mishandles HTTP pipelining, allowing remote attackers to read responses intended for other clients by examining HTTP packet data, due to a mix-up of responses for requests from different users. Impact is information...

5CVSS4.1AI score0.0869EPSS
CVE
CVE
added 2026/06/29 8:39 p.m.87 views

CVE-2026-53404

Apache Tomcat vulnerability CVE-2026-53404 describes an Always-Incorrect Control Flow in the RewriteValve. If the first condition in an OR chain matches, subsequent non-OR conditions may be skipped, altering rule evaluation. Affected versions include Tomcat 11.0.0-M1–11.0.22, 10.1.0-M1–10.1.55, 9...

7.3CVSS5.7AI score0.00413EPSS
CVE
CVE
added 2009/02/26 11:0 p.m.86 views

CVE-2008-4308

CVE-2008-4308 affects Apache Tomcat 4.1.32–4.1.34 and 5.5.10–5.5.20. The root cause is improper handling in the doRead method, which does not return -1 to signal a certain error condition, allowing the possibility of POST data from one request being sent to another. The consequence is potential i...

2.6CVSS6.2AI score0.03914EPSS
CVE
CVE
added 2002/03/09 5:0 a.m.85 views

CVE-2001-0590

CVE-2001-0590 affects Apache Tomcat Servlet prior to 3.2.2. A malformed URL request that does not end with a protocol (e.g., HTTP/1.0) can cause a remote attacker to read the source code of arbitrary JSP files, constituting information disclosure. The issue is confirmed in multiple sources tying ...

5CVSS6.7AI score0.10956EPSS
CVE
CVE
added 2007/07/25 5:0 p.m.85 views

CVE-2007-3383

CVE-2007-3383 is an XSS flaw in Apache Tomcat’s SendMailServlet (examples/jsp/mail/sendmail.jsp) affecting Tomcat 4.0.0–4.0.6 and 4.1.0–4.1.36. The vulnerability allows remote attackers to inject arbitrary script/HTML via the From field (and possibly other fields) during error-message generation....

4.3CVSS5.5AI score0.09479EPSS
Web
CVE
CVE
added 2007/04/25 8:0 p.m.83 views

CVE-2006-7197

CVE-2006-7197 : The AJP connector in Apache Tomcat 5.5.15 (via mod_jk) has an incorrect chunk length that can cause a buffer over-read in ajp_process_callback, enabling a remote attacker to read memory portions. The linked records (e.g., GHSA-JPQR-VH55-XQXF and RHSA entries) confirm this vulnerab...

7.8CVSS9.3AI score0.08319EPSS
CVE
CVE
added 2008/02/12 12:0 a.m.83 views

CVE-2007-6286

Apache Tomcat 5.5.11–5.5.25 and 6.0.0–6.0.15, when using the native APR connector, fail to properly handle an empty SSL-port request, allowing remote attackers to trigger a duplicate of a recent request (e.g., via netcat). See CVE-2007-6286. NT: Affected versions are confirmed in Nessus/OpenVAS e...

4.3CVSS5.7AI score0.05373EPSS
CVE
CVE
added 2025/08/13 1:21 p.m.83 views

CVE-2025-55668

CVE-2025-55668 is a Session Fixation vulnerability in Apache Tomcat via a rewrite valve. Connected sources confirm affected branches: Tomcat 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105 (older EOL versions may be affected). Debian advisories (DSA-6121-1 for to...

6.5CVSS7.1AI score0.00775EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.82 views

CVE-2002-1394

Apache Tomcat 4.x: vulnerability allows remote disclosure of server source code when using both the invoker servlet and the default servlet (Tomcat 4.0.5 and earlier). Root cause is exposure of server files through misconfigured/default servlet handling; impact is read access to source code and p...

7.5CVSS6.5AI score0.05254EPSS
CVE
CVE
added 2014/02/15 12:0 a.m.82 views

CVE-2013-0346

The set of documents confirms CVE-2013-0346 affects Apache Tomcat 7.x, where the log directory and its files have world-readable permissions, potentially allowing local users to read sensitive information. The Solaris/Nessus plugin reiterates this claim and notes it as a reported vulnerability, w...

2.1CVSS6AI score0.00678EPSS
CVE
CVE
added 2025/10/27 5:29 p.m.82 views

CVE-2025-55754

CVE-2025-55754 affects Apache Tomcat: improper neutralization of ANSI escape sequences in log messages could enable console/clipboard manipulation via crafted URLs. Affected: Tomcat 11.x (11.0.0-M1 to 11.0.10), 10.x (10.1.0-M1 to 10.1.44), 9.x (9.0.40 to 9.0.108), plus some EOL versions. Remediat...

9.6CVSS6.5AI score0.09917EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.80 views

CVE-2002-1148

CVE-2002-1148 refers to a vulnerability in Apache Tomcat where the default servlet (org.apache.catalina.servlets.DefaultServlet) on Tomcat 4.0.4, 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet. Connected sources (GHSA and OSS/ID...

5CVSS6.4AI score0.1682EPSS
CVE
CVE
added 2008/10/13 6:0 p.m.79 views

CVE-2008-3271

CVE-2008-3271 affects Apache Tomcat 5.5.0 and Tomcat 4.1.0 through 4.1.31. The issue is a synchronization-related defect that allows a remote attacker to bypass IP address restrictions and obtain sensitive information when a request is processed concurrently with another in a different thread, re...

4.3CVSS5.9AI score0.04807EPSS
CVE
CVE
added 2026/06/29 8:42 p.m.79 views

CVE-2026-55276

Apache Tomcat vulnerability CVE-2026-55276 is a logging-only issue caused by an always-incorrect control flow in the effective web.xml, leading to special roles and empty authorization constraints not being shown. Affected products include Tomcat 8.5.0–8.5.100, 9.0.0.M1–9.0.118, 10.1.0-M1–10.1.55...

9.1CVSS5.7AI score0.00368EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.77 views

CVE-2002-0493

CVE-2002-0493 affects Apache Tomcat where the web.xml parsing could proceed with errors and allow Tomcat to start with improper security settings, bypassing intended access restrictions. Affected component: Tomcat startup/security settings during web.xml read. Root cause described across sources ...

7.5CVSS6.6AI score0.03804EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.77 views

CVE-2002-0682

Apache Tomcat - CVE-2002-0682: a cross-site scripting (XSS) flaw in the /servlet/ mapping allows remote attackers to execute script as other users by injecting script into a URL, triggered when an exception is thrown by the servlet. Affected version in the public record is Tomcat 4.0.3; vulnerabi...

7.5CVSS6.5AI score0.12237EPSS
CVE
CVE
added 2011/03/14 7:0 p.m.77 views

CVE-2011-1419

Affected software: Apache Tomcat 7.x before 7.0.11. Component/behavior: ServletSecurity handling; when web.xml has no security constraints, Tomcat does not follow ServletSecurity annotations, enabling a remote bypass of access controls via HTTP requests. Root cause: incomplete fix for CVE-2011-10...

5.8CVSS4.4AI score0.0654EPSS
CVE
CVE
added 2011/05/20 10:0 p.m.77 views

CVE-2011-1582

CVE-2011-1582 affects Apache Tomcat 7.0.12 and 7.0.13, where the first request to a servlet is processed without enforcing security constraints configured via annotations, allowing bypass of access restrictions via HTTP requests. The issue is a consequence of an incomplete fix for CVE-2011-1088, ...

4.3CVSS4.5AI score0.06016EPSS
CVE
CVE
added 2003/10/17 4:0 a.m.76 views

CVE-2003-0866

CVE-2003-0866 affects the Catalina org.apache.catalina.connector.http package in Apache Tomcat 4.0.x up to 4.0.6, where malformed HTTP requests can cause the request processing thread pool to become unresponsive, allowing a DoS. Public detail from GHSA confirms Tomcat 4.0.x DoS exposure; remediat...

5CVSS6.3AI score0.32657EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.75 views

CVE-2003-0043

Affected software: Jakarta Tomcat prior to 3.3.1a when used with JDK 1.3.1 or earlier. Root cause: processing of web.xml uses trusted privileges, enabling remote attackers to read portions of some files. Impact: information disclosure (partial). Exploitation details are not provided in the suppli...

5CVSS6.3AI score0.04049EPSS
CVE
CVE
added 2005/07/14 4:0 a.m.74 views

CVE-2002-2007

The CVE-2002-2007 vulnerability affects Apache Tomcat 3.2.3 and 3.2.4, where remote attackers could obtain sensitive information (directory listings and web root path) via erroneous HTTP requests to JSP-related paths (test/jsp, samples/jsp, examples/jsp) or the test/realPath.jsp servlet, leaking ...

5CVSS6.3AI score0.41399EPSS
CVE
CVE
added 2010/11/26 7:0 p.m.72 views

CVE-2010-4312

CVE-2010-4312 affects Apache Tomcat 6.x; the default configuration omits the HTTPOnly flag in Set-Cookie headers, enabling remote session hijacking via script access to cookies. This vulnerability is tied to the standard Tomcat 6.x deployment and is described as a cookie security flag omission th...

6.4CVSS4.4AI score0.02136EPSS
CVE
CVE
added 2003/09/19 4:0 a.m.71 views

CVE-2002-1567

CVE-2002-1567 is an XSS vulnerability in Apache Tomcat 4.1 where an attacker can cause script execution and cookie theft by crafting a URL containing encoded newline characters that precede a .jsp request. The underlying issue is improper sanitization of request strings in Tomcat 4.1 (affecting 4...

6.8CVSS6.1AI score0.268EPSS
CVE
CVE
added 2005/07/14 4:0 a.m.71 views

CVE-2002-2006

CVE-2002-2006 affects Apache Tomcat 4.0–4.1 and 3.0–3.3.1. The vulnerability is an information disclosure: the default Tomcat distribution exposes installation path and other sensitive info via the Sno o pServlet and TroubleShooter example servlets. The issue is explicitly described as informatio...

5CVSS6.1AI score0.30673EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.70 views

CVE-2003-0045

CVE-2003-0045 describes a denial-of-service in Apache Tomcat where requesting a JSP page containing an MS-DOS device name (e.g., aux.jsp) on Windows can cause thread hangs and resource exhaustion. Affected: Tomcat versions prior to 3.3.1a on Windows (notably 3.0–3.3a line). Root cause: the JSP/se...

5CVSS6.6AI score0.02491EPSS
CVE
CVE
added 2005/10/06 4:0 a.m.70 views

CVE-2005-3164

CVE-2005-3164 involves the AJP connector in Apache Tomcat (affected versions: 4.0.1–4.0.6 and 4.1.0–4.1.36) as used in Hitachi Cosminexus Application Server and standalone deployments. The vulnerability arises when a connection is broken before POST request body data is sent; this can lead to an ...

2.6CVSS6AI score0.06521EPSS
CVE
CVE
added 2001/11/22 5:0 a.m.69 views

CVE-2001-0829

Apache Tomcat 3.x is affected by a cross-site scripting vulnerability (CVE-2001-0829) in which a malicious user can craft a request for a JSP file so that the default error page echoes the user-supplied input without proper escaping. The root cause is the error page displaying unvalidated URLs, a...

5.1CVSS5.8AI score0.1382EPSS
CVE
CVE
added 2003/01/29 5:0 a.m.69 views

CVE-2003-0042

CVE-2003-0042 affects Apache Jakarta Tomcat up to version 3.3.1a when used with JDK 1.3.1 or earlier. The vulnerability lets remote attackers cause directory listings and disclose JSP/source via a URL containing a null character, bypassing index.html or other welcome-file safeguards. Root cause i...

5CVSS6.5AI score0.46035EPSS
CVE
CVE
added 2005/03/20 5:0 a.m.69 views

CVE-2005-0808

Apache Tomcat before 5.x is affected by a remote denial-of-service vulnerability triggered by a crafted AJP12 packet to TCP port 8007, which can cause the application to crash or stop responding. The vulnerability is attributed to handling of AJP12 input (malformed/input handling). Affected compo...

5CVSS6.6AI score0.2344EPSS
CVE
CVE
added 2007/08/08 1:11 a.m.69 views

CVE-2007-3384

Apache Tomcat 3.3.x is affected by CVE-2007-3384: multiple XSS vulnerabilities in the examples/servlet/CookieExample allow remote attackers to inject arbitrary script/HTML via the Name or Value fields, related to error messages, in Tomcat 3.3 through 3.3.2. Exploitation details are described acro...

4.3CVSS5.6AI score0.03175EPSS
Web
CVE
CVE
added 2026/05/12 3:32 p.m.69 views

CVE-2026-43514

CVE-2026-43514 describes an observable timing discrepancy in comparing the AJP secret in Apache Tomcat. Affected are Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109 (older unsupported versions may also be affe...

3.7CVSS5.7AI score0.00352EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.68 views

CVE-2000-1210

CVE-2000-1210 is a directory traversal vulnerability in the Tomcat source.jsp component prior to Apache Tomcat 3.1, allowing remote attackers to read arbitrary files by supplying a .. in the request. The issue affects the Tomcat distribution’s source.jsp endpoint and is caused by insufficient val...

5CVSS6.5AI score0.03453EPSS
CVE
CVE
added 2002/08/31 4:0 a.m.68 views

CVE-2002-0936

CVE-2002-0936 affects the Java Server Pages (JSP) engine in Apache Tomcat. A JSP page that calls WPrinterJob().pageSetup(null,null) can cause a denial of service by crashing the web server. The published materials describe the vulnerability and impact but do not provide a listed fix or patch with...

5CVSS6.8AI score0.26849EPSS
CVE
CVE
added 2003/01/29 5:0 a.m.67 views

CVE-2003-0044

CVE-2003-0044 covers multiple cross-site scripting (XSS) vulnerabilities in the Jakarta Tomcat 3.x line (through 3.3.1a) affecting the (1) examples and (2) ROOT web applications. Remote attackers could inject arbitrary script/HTML due to XSS in these components. This is documented across sources ...

6.8CVSS5.7AI score0.09133EPSS
CVE
CVE
added 2007/09/05 7:0 p.m.67 views

CVE-2007-4724

CVE-2007-4724 describes a CSRF vulnerability in the Apache Tomcat calendar examples app, specifically in the file cal2.jsp of the calendar example. The issue allows a remote attacker to add events as arbitrary users by supplying the time and description parameters, enabling unauthorized calendar ...

4.3CVSS6.9AI score0.02135EPSS
CVE
CVE
added 2026/06/29 8:44 p.m.65 views

CVE-2026-55955

CVE-2026-55955 describes an improper authentication flaw in Apache Tomcat’s EncryptionInterceptor for Tribes clustering, allowing a replay attack. Affected versions include Tomcat 11.0.0-M1–11.0.22, 10.1.0-M1–10.1.55, 9.0.13–9.0.18, 8.5.38–8.5.100, and 7.0.100–7.0.109. Remediation is to upgrade t...

6.5CVSS5.7AI score0.0028EPSS
CVE
CVE
added 2011/11/11 9:0 p.m.62 views

CVE-2011-3376

CVE-2011-3376 affects Apache Tomcat 7.x before 7.0.22. The issue is in DefaultInstanceManager.java, where ContainerServlets in the Manager application are not properly restricted, enabling local users to gain privileges by using an untrusted web application to access Manager functionality. Impact...

4.4CVSS6.4AI score0.00641EPSS
CVE
CVE
added 2005/07/14 4:0 a.m.61 views

CVE-2002-2008

CVE-2002-2008 concerns Apache Tomcat 4.0.3 for Windows. The vulnerability allows a remote attacker to disclose the web root path by requesting a resource that does not exist (e.g., lpt9), causing the server to leak information in the error page. This is an information-disclosure in the error hand...

5CVSS6.4AI score0.0711EPSS
CVE
CVE
added 2000/09/21 4:0 a.m.59 views

CVE-2000-0759

The CVE-2000-0759 entry concerns Jakarta Tomcat 3.1 running under Apache, where requesting a nonexistent URL causes an error page that reveals the full physical path of the webroot. Root cause: information disclosure via error handling that leaks filesystem paths, enabling an attacker to map the ...

6.4CVSS6.1AI score0.2566EPSS
CVE
CVE
added 2002/06/25 4:0 a.m.56 views

CVE-2001-0917

The CVE-2001-0917 entry concerns Apache Tomcat 4.0.1. The provided materials confirm an information-disclosure vulnerability where remote attackers can reveal the full install path of Tomcat by requesting a long URL that ends with a .JSP extension. The issue is tied to path disclosure via crafted...

5CVSS6.2AI score0.08176EPSS
CVE
CVE
added 2005/07/14 4:0 a.m.56 views

CVE-2001-1563

CVE-2001-1563 refers to a vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 where attackers could access servlet resources. The vendor advisory is vague about full scope, but a public remediation exists: Apache Tomcat 3.2.4 fixes this issue. While the exact root cause isn’t deta...

7.5CVSS6.5AI score0.04931EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.56 views

CVE-2002-0935

The CVE-2002-0935 issue affects Apache Tomcat 4.0.3 and possibly earlier 4.1.3 beta; it enables remote denial of service through a flood of requests containing null characters, causing server threads to hang due to resource exhaustion. The vulnerability targets the HTTP request handling path, lea...

5CVSS6.7AI score0.07854EPSS
CVE
CVE
added 2005/06/28 4:0 a.m.54 views

CVE-2002-1895

The vulnerability CVE-2002-1895 affects the Tomcat servlet engine in versions 3.3 and 4.0.4 when used with IIS and the ajp1.3 connector. Affected component: servlet engine; issue: remote attackers can trigger a denial of service (crash) by issuing a large sequence of HTTP GET requests for MS-DOS ...

5CVSS7.1AI score0.03879EPSS
CVE
CVE
added 2006/02/01 8:0 p.m.54 views

CVE-2005-4703

CVE-2005-4703 affects Apache Tomcat 4.0.3 on Windows. When a request targets a file whose name matches an MS-DOS device name (e.g., lpt9), the server may disclose the pathname in an error message (demonstrated by lpt9.xtp, e.g., via Nikto). Root cause: improper handling of MS-DOS device names lea...

5CVSS6.1AI score0.25132EPSS
Total number of security vulnerabilities261