Tomcat@8.0.26 Security Vulnerabilities and Issues — Tomcat@8.0.26 CVE List

Lucene search

ApacheTomcat8.0.26

8 matches found

cve•added 2016/07/04 10:59 p.m.•341 views

CVE-2016-3092

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

7.8CVSS7.5AI score0.25272EPSS

cve•added 2016/02/25 1:59 a.m.•222 views

CVE-2016-0714

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged ...

8.8CVSS8.1AI score0.0216EPSS

cve•added 2016/02/25 1:59 a.m.•213 views

CVE-2015-5346

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a reques...

8.1CVSS8.1AI score0.39277EPSS

cve•added 2016/02/25 1:59 a.m.•163 views

CVE-2015-5174

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web appl...

4.3CVSS6.2AI score0.00188EPSS

cve•added 2016/02/25 1:59 a.m.•145 views

CVE-2015-5345

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (...

5.3CVSS6.8AI score0.23942EPSS

cve•added 2016/02/25 1:59 a.m.•135 views

CVE-2016-0706

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManag...

4.3CVSS6.3AI score0.0032EPSS

cve•added 2016/02/25 1:59 a.m.•129 views

CVE-2015-5351

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

8.8CVSS8.4AI score0.03695EPSS

cve•added 2016/02/25 1:59 a.m.•128 views

CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass i...

6.5CVSS7.1AI score0.00223EPSS