Tomcat Security Vulnerabilities and Issues — Tomcat CVE List

Lucene search

ApacheTomcat

9 matches found

CVE•added 2017/10/04 1:29 a.m.•1449 views

CVE-2017-12617

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted ...

8.1CVSS7.5AI score0.94394EPSS

CVE•added 2017/09/19 1:29 p.m.•1421 views

CVE-2017-12615

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it containe...

8.1CVSS7.4AI score0.9436EPSS

CVE•added 2022/05/13 8:15 a.m.•1146 views

CVE-2022-25762

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling trigg...

8.6CVSS8.3AI score0.00366EPSS

CVE•added 2024/11/07 8:15 a.m.•276 views

CVE-2024-38286

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to...

8.6CVSS7.5AI score0.00804EPSS

CVE•added 2016/07/19 2:0 a.m.•251 views

CVE-2016-5388

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an a...

8.1CVSS6.8AI score0.75024EPSS

CVE•added 2016/02/25 1:59 a.m.•221 views

CVE-2016-0714

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged ...

8.8CVSS8.1AI score0.0595EPSS

CVE•added 2016/02/25 1:59 a.m.•212 views

CVE-2015-5346

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a reques...

8.1CVSS8.1AI score0.39277EPSS

CVE•added 2016/02/25 1:59 a.m.•128 views

CVE-2015-5351

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

8.8CVSS8.4AI score0.06311EPSS

CVE•added 2025/06/16 3:15 p.m.•51 views

CVE-2025-49124

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105...

8.4CVSS6.5AI score0.0002EPSS