Tomcat Security Vulnerabilities and Issues — Tomcat CVE List

Lucene search

ApacheTomcat

9 matches found

CVE•added 2007/05/10 12:19 a.m.•199 views

CVE-2007-1858

The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.

2.6CVSS5.9AI score0.06282EPSS

CVE•added 2010/04/23 2:30 p.m.•118 views

CVE-2010-1157

Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the r...

2.6CVSS4.4AI score0.13817EPSS

CVE•added 2013/06/01 2:21 p.m.•101 views

CVE-2013-2071

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications ...

2.6CVSS5.7AI score0.06868EPSS

CVE•added 2007/05/10 12:19 a.m.•88 views

CVE-2007-1358

Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".

2.6CVSS7.6AI score0.51554EPSS

CVE•added 2012/12/19 11:55 a.m.•84 views

CVE-2012-4534

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a res...

2.6CVSS8.9AI score0.2277EPSS

CVE•added 2009/04/09 3:8 p.m.•82 views

CVE-2008-5519

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST ...

2.6CVSS5.6AI score0.05777EPSS

CVE•added 2009/02/26 11:30 p.m.•67 views

CVE-2008-4308

The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request.

2.6CVSS6.2AI score0.07583EPSS

CVE•added 2014/02/15 2:57 p.m.•67 views

CVE-2013-0346

Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."

2.1CVSS6AI score0.00636EPSS

CVE•added 2005/10/06 10:2 a.m.•53 views

CVE-2005-3164

The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsu...

2.6CVSS6AI score0.03388EPSS