tomcat-catalina Licenses and Vulnerabilities

tomcat-catalina Vulnerabilities

Sort by

CVE (Latest)

CVE (Latest)
CVE (Oldest)
CVSS Score (Highest)
CVSS Score (Lowest)

CVE	CVSS Score	CWE(s)	EPSS Score	EPSS %	Impacted Versions
CVE-2007-1358	Low 2.6	CWE-79	0.62909	0.97985	11.0.0–11.0.2 10.0.0–10.1.34 9.0.0.M1–9.0.98 8.0.0-RC1–8.5.100 7.0.0–7.0.109
CVE-2023-28708	Medium 4.3	CWE-523	0.00133	0.48988	11.0.0-M1 10.1.0–10.1.5 9.0.0.M1–9.0.71 8.5.0–8.5.85
CVE-2023-46589	High 7.5	CWE-20, CWE-444	0.00784	0.81229	11.0.0-M1–11.0.0-M9 10.1.0–10.1.15 9.0.0.M1–9.0.82 8.5.0–8.5.95
CVE-2024-50379	Unknown		None	None	11.0.0–11.0.1 10.1.0–10.1.33 9.0.0.M1–9.0.97
CVE-2024-52316	High 9.8	CWE-391	0.00043	0.10859	11.0.0–11.0.0-M9 10.1.0–10.1.29 9.0.0.M1–9.0.95 8.0.0-RC1–8.5.100 7.0.0–7.0.109
CVE-2024-54677	Unknown		None	None	11.0.0–11.0.1 10.1.0–10.1.33 9.0.0.M1–9.0.97
CVE-2020-9484	High 7	CWE-502	0.93186	0.99287	10.0.0-M1–10.0.0-M4 9.0.0.M1–9.0.34 8.5.0–8.5.54 7.0.0–7.0.103
CVE-2021-24122	Medium 5.3	CWE-200	0.00255	0.64502	10.0.0-M1–10.0.0-M9 9.0.0.M1–9.0.39 8.5.0–8.5.59 7.0.0–7.0.106
CVE-2021-25122	High 7.5	CWE-200	0.00191	0.56678	10.0.0–10.0.0-M9 9.0.0.M1–9.0.41 8.5.0–8.5.61
CVE-2021-25329	High 7	CWE-94	0.00046	0.17935	10.0.0–10.0.0-M9 9.0.0.M1–9.0.41 8.5.0–8.5.61 7.0.0–7.0.107
CVE-2021-43980	Low 3.7	CWE-362	0.00149	0.51334	10.0.0–10.1.0-M8 9.0.0.M1–9.0.60 8.5.0–8.5.77
CVE-2019-17563	High 7.5	CWE-384	0.00494	0.75965	9.0.0.M1–9.0.29 8.5.0–8.5.100 7.0.0–7.0.96
CVE-2018-11784	Medium 4.3	CWE-601	0.89195	0.98985	9.0.1–9.0.11 8.5.0–8.5.33 7.0.23–7.0.90
CVE-2018-1304	Medium 5.9	CWE-254, CWE-284	0.0048	0.75538	9.0.1–9.0.4 8.0.1–8.5.27 7.0.0–7.0.85
CVE-2018-1305	Medium 6.5	CWE-22, CWE-284	0.00154	0.52119	9.0.1–9.0.4 8.0.1–8.5.27 7.0.0–7.0.84
CVE-2018-8014	High 9.8	CWE-1188	0.14808	0.95769	9.0.1–9.0.8 8.0.1–8.5.31 7.0.0–7.0.88
CVE-2019-0199	High 7.5	CWE-400	0.23425	0.96582	9.0.0.M1–9.0.14 8.5.0–8.5.37
CVE-2019-0221	Medium 6.1	CWE-79	0.0212	0.88877	9.0.0.M1–9.0.17 8.5.0–8.5.39 7.0.0–7.0.93
CVE-2019-0232	High 8.1	CWE-78	0.97365	0.99957	9.0.0.M1–9.0.17 8.5.0–8.5.39 7.0.0–7.0.93
CVE-2019-12418	High 7	CWE-522	0.00049	0.20124	9.0.0.M1–9.0.27 8.5.0–8.5.47 7.0.0–7.0.96
CVE-2017-7674	Medium 4.3	CWE-345	0.00349	0.71495	8.0.0-RC1–8.5.15 7.0.0–7.0.109
CVE-2016-0762	Medium 5.9	CWE-264, CWE-208	0.00324	0.70386	9.0.0.M1–9.0.0.M9 8.0.1–8.5.4 7.0.0–7.0.70
CVE-2016-3092	High 7.5	CWE-20	0.29976	0.96922	9.0.0.M1–9.0.0.M6 8.0.1–8.5.2 7.0.0–7.0.69
CVE-2016-5018	High 9.1		0.00491	0.75869	9.0.0.M1–9.0.0.M9 8.0.0-RC1–8.5.4 7.0.0–7.0.70
CVE-2016-5388	High 8.1	CWE-284	0.96332	0.99692	8.0.1–8.5.4 7.0.0–7.0.70
CVE-2016-6797	High 7.5	CWE-863, CWE-284	0.00324	0.70386	9.0.0.M1–9.0.0.M9 8.0.0-RC1–8.5.4 7.0.0–7.0.70
CVE-2016-8735	High 9.8	CWE-284	0.9501	0.99483	9.0.0.M1–9.0.0.M9 8.0.1–8.5.6 7.0.0–7.0.72
CVE-2016-8745	High 7.5	CWE-388	0.01456	0.8641	9.0.0.M1–9.0.0.M9 8.0.0-RC1–8.5.8 7.0.0–7.0.73
CVE-2017-12617	High 8.1	CWE-434	0.97327	0.99949	9.0.0.M1–9.0.0.M9 8.0.0-RC1–8.5.21 7.0.0–7.0.81
CVE-2017-5648	High 9.1	CWE-668, CWE-284	0.00871	0.8218	9.0.0.M1–9.0.0.M9 8.0.1–8.5.11 7.0.0–7.0.75
CVE-2017-5664	High 7.5	CWE-254, CWE-755	0.0097	0.83161	9.0.0.M1–9.0.0.M9 8.0.0-RC1–8.5.14 7.0.0–7.0.77
CVE-2017-7675	High 7.5	CWE-22	0.0054	0.77104	9.0.0.M1–9.0.0.M9 8.5.0–8.5.15
CVE-2015-5345	Medium 5.3	CWE-22	0.0052	0.76666	9.0.0.M1 8.0.1–8.0.29 7.0.0–7.0.67
CVE-2016-0706	Medium 4.3	CWE-200	0.00726	0.80477	9.0.0.M1 8.0.0-RC1–8.0.30 7.0.0–7.0.67
CVE-2016-0714	High 8.8	CWE-264	0.00561	0.77526	9.0.0.M1 8.0.1–8.0.30 7.0.0–7.0.67
CVE-2016-0763	Medium 6.3	CWE-264	0.0034	0.71114	9.0.0.M1 8.0.0-RC1–8.0.30 7.0.0–7.0.67
CVE-2012-3546	Medium 4.3	CWE-264	0.00291	0.6861	7.0.0–7.0.28
CVE-2012-4431	Medium 4.3	CWE-264	0.00121	0.46816	7.0.0–7.0.30
CVE-2012-5885	Medium 5.3	CWE-264	0.0017	0.54272	7.0.0–7.0.29
CVE-2012-5886	Medium 5	CWE-287	0.00403	0.7335	7.0.0–7.0.29
CVE-2012-5887	Medium 5.3	CWE-287	0.00403	0.7335	7.0.0–7.0.29
CVE-2013-2067	Medium 6.3	CWE-287	0.01464	0.86436	7.0.0–7.0.32
CVE-2013-2071	Low 3.7	CWE-200	0.00471	0.75342	7.0.0–7.0.32
CVE-2013-4590	Medium 4.3	CWE-200	0.00597	0.78253	7.0.0–7.0.47
CVE-2014-0096	Medium 4.3	CWE-264	0.00126	0.47718	8.0.1–8.0.3 7.0.0–7.0.52
CVE-2014-0119	Medium 4.3	CWE-264	0.00167	0.53772	8.0.1–8.0.5 7.0.0–7.0.53
CVE-2014-0230	High 7.5	CWE-399	0.07366	0.94034	8.0.1–8.0.8 7.0.0–7.0.54
CVE-2015-5346	High 8.1	CWE-384, CWE-200	0.00942	0.82877	8.0.1–8.0.29 7.0.0–7.0.65
CVE-2017-12615	High 8.1	CWE-434	0.96554	0.99739	7.0.0–7.0.79
CVE-2017-12616	High 7.5	CWE-200	0.86087	0.9881	7.0.0–7.0.79
CVE-2022-45143	High 7.5	CWE-116, CWE-74	0.00275	0.677	10.1.0–10.1.1
CVE-2011-1183	Medium 5.4	CWE-284	0.00226	0.60403	7.0.11
CVE-2011-1184	Medium 5.3	CWE-264	0.00181	0.55497	7.0.0–7.0.11
CVE-2011-1475	Medium 5.3	CWE-20	0.00548	0.7729	7.0.0–7.0.11
CVE-2011-2204	Low 3.3	CWE-200	0.00045	0.17761	7.0.0–7.0.14
CVE-2011-2481	Medium 5.9	CWE-284	0.00044	0.11839	7.0.0–7.0.16
CVE-2011-2526	Medium 5.3	CWE-20	0.00046	0.18904	7.0.0–7.0.16
CVE-2011-3375	Medium 5	CWE-200	0.0025	0.64038	7.0.0–7.0.21
CVE-2011-3376	Medium 5.3	CWE-264	0.00042	0.04956	7.0.0–7.0.21
CVE-2011-4858	Medium 5.3	CWE-399	0.80925	0.98577	7.0.0–7.0.22
CVE-2011-5062	Medium 5.3	CWE-264	0.00181	0.55497	7.0.0–7.0.11
CVE-2011-5063	Medium 4.3	CWE-287	0.0036	0.71915	7.0.0–7.0.11
CVE-2011-5064	Medium 4.3	CWE-310	0.00321	0.70238	7.0.0–7.0.11
CVE-2012-0022	Medium 5.3	CWE-189	0.12966	0.95493	7.0.0–7.0.22
CVE-2011-0013	Medium 4.3	CWE-79	0.0127	0.85394	7.0.0–7.0.5
CVE-2011-1088	Medium 5.4	CWE-284	0.00232	0.60904	7.0.0–7.0.8
CVE-2011-1419	Medium 5.4	CWE-284	0.00197	0.57335	7.0.0–7.0.8
CVE-2010-3718	Low 2.9	CWE-22	0.00163	0.53307	7.0.0–7.0.2
CVE-2010-4172	Medium 4.3	CWE-79	0.16569	0.95995	7.0.0–7.0.4
CVE-2011-1582	Medium 4.3	CWE-264	0.00354	0.7169	7.0.12

tomcat-catalina Vulnerability Remediation Guidance

CVE	Description	Full list of Impacted Versions	Fix
CVE-2024-54677	None	11.0.0-M1, 11.0.1, 10.1.33, 9.0.97, 9.0.96, 9.0.63, 9.0.58, 10.1.18 (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-52316	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.	11.0.0-M1, 8.5.76, 9.0.63, 9.0.58, 10.1.18, 8.5.23, 11.0.0, 9.0.95 (Show all)	Patch → NO_SAFE_VERSION
CVE-2024-50379	None	11.0.0-M1, 11.0.1, 10.1.33, 9.0.97, 9.0.96, 9.0.63, 9.0.58, 10.1.18 (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-46589	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	11.0.0-M1, 8.5.76, 9.0.63, 9.0.58, 8.5.23, 8.5.95, 9.0.59, 9.0.14 (Show all)	Patch → NO_SAFE_VERSION
CVE-2023-28708	When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.	11.0.0-M1, 8.5.76, 9.0.63, 9.0.58, 8.5.23, 9.0.59, 9.0.14, 9.0.70 (Show all)	Patch → NO_SAFE_VERSION
CVE-2022-45143	The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.	10.1.0, 10.1.1	Patch → NO_SAFE_VERSION
CVE-2021-43980	The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.	10.0.0-M1, 8.5.76, 9.0.58, 8.5.23, 9.0.59, 9.0.14, 9.0.60, 10.1.0-M11 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-25329	The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.	10.0.0-M1, 8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 7.0.26, 10.0.0-M9, 9.0.40 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-25122	When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.	10.0.0-M1, 8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 10.0.0-M9, 9.0.40, 9.0.30 (Show all)	Patch → NO_SAFE_VERSION
CVE-2021-24122	When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.	10.0.0-M1, 8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 7.0.26, 10.0.0-M9, 9.0.30 (Show all)	Patch → NO_SAFE_VERSION
CVE-2020-9484	When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.	10.0.0-M1, 8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 7.0.26, 9.0.30, 8.5.30 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-17563	When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.	8.5.76, 8.5.23, 8.5.95, 9.0.14, 8.5.93, 8.5.92, 8.5.81, 8.5.90 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-12418	When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.	8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 7.0.26, 8.5.30, 8.5.45, 7.0.84 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-0232	When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).	8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 7.0.26, 8.5.30, 7.0.84, 9.0.16 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-0221	The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.	8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 7.0.26, 8.5.30, 7.0.84, 9.0.16 (Show all)	Patch → NO_SAFE_VERSION
CVE-2019-0199	The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.	8.5.23, 9.0.14, 8.5.0, 9.0.0.M1, 8.5.30, 9.0.13, 9.0.0.M26, 9.0.0.M21 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-8014	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.	8.5.23, 8.5.0, 7.0.26, 8.0.32, 8.5.30, 7.0.84, 8.5.29, 8.5.24 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-1305	Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.	8.5.23, 8.5.0, 7.0.26, 8.0.32, 7.0.84, 8.5.24, 8.5.21, 8.5.15 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-1304	The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.	8.5.23, 8.5.0, 7.0.26, 8.0.32, 7.0.84, 8.5.24, 8.5.21, 8.5.15 (Show all)	Patch → NO_SAFE_VERSION
CVE-2018-11784	When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.	8.5.23, 8.5.0, 7.0.26, 8.5.30, 7.0.84, 8.5.33, 8.5.32, 8.5.29 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-7675	The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.	8.5.0, 9.0.0.M1, 9.0.0.M21, 9.0.0.M19, 8.5.15, 8.5.13, 8.5.6, 8.5.5 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-7674	The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.	7.0.109, 8.5.0, 7.0.26, 8.0.32, 7.0.84, 8.5.15, 8.5.13, 8.0.51 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-5664	The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 9.0.0.M19, 8.5.13, 8.0.43, 8.0.37 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-5648	While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.37, 8.0.38, 8.0.5, 7.0.73 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-12617	When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 9.0.0.M26, 9.0.0.M21, 9.0.0.M19, 8.5.21 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-12616	When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.	7.0.26, 7.0.73, 7.0.70, 7.0.61, 7.0.34, 7.0.30, 7.0.23, 7.0.37 (Show all)	Patch → NO_SAFE_VERSION
CVE-2017-12615	When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	7.0.26, 7.0.73, 7.0.70, 7.0.61, 7.0.34, 7.0.30, 7.0.23, 7.0.37 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-8745	A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.37, 8.0.38, 8.0.5, 8.0.0-RC5 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-8735	Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.37, 8.0.38, 8.0.5, 7.0.70 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-6797	The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.5, 8.0.0-RC5, 8.0.0-RC1, 7.0.70 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-5388	Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.	8.5.0, 7.0.26, 8.0.32, 8.0.51, 8.0.49, 8.0.48, 8.0.46, 8.0.44 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-5018	In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.5, 8.0.0-RC5, 8.0.0-RC1, 7.0.70 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-3092	The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.5, 7.0.61, 7.0.34, 8.0.26 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-0763	The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.	9.0.0.M1, 7.0.26, 8.0.5, 8.0.0-RC5, 8.0.0-RC1, 7.0.61, 7.0.34, 8.0.26 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-0762	The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.	8.5.0, 9.0.0.M1, 7.0.26, 8.0.32, 8.0.5, 7.0.70, 7.0.61, 7.0.34 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-0714	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.	9.0.0.M1, 7.0.26, 8.0.5, 7.0.61, 7.0.34, 8.0.26, 8.0.17, 8.0.14 (Show all)	Patch → NO_SAFE_VERSION
CVE-2016-0706	Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.	9.0.0.M1, 7.0.26, 8.0.5, 8.0.0-RC5, 8.0.0-RC1, 7.0.61, 7.0.34, 8.0.26 (Show all)	Patch → NO_SAFE_VERSION
CVE-2015-5346	Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.	7.0.26, 8.0.5, 7.0.61, 7.0.34, 8.0.26, 8.0.17, 8.0.14, 8.0.11 (Show all)	Patch → NO_SAFE_VERSION
CVE-2015-5345	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.	9.0.0.M1, 7.0.26, 8.0.5, 7.0.61, 7.0.34, 8.0.26, 8.0.17, 8.0.14 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-0230	Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.	7.0.26, 8.0.5, 7.0.34, 7.0.30, 7.0.23, 7.0.37, 7.0.11, 8.0.3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-0119	Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.	7.0.26, 8.0.5, 7.0.34, 7.0.30, 7.0.23, 7.0.37, 7.0.11, 8.0.3 (Show all)	Patch → NO_SAFE_VERSION
CVE-2014-0096	java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	7.0.26, 7.0.34, 7.0.30, 7.0.23, 7.0.37, 7.0.11, 8.0.3, 7.0.52 (Show all)	Patch → NO_SAFE_VERSION
CVE-2013-4590	Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, .jspx, .tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.	7.0.26, 7.0.34, 7.0.30, 7.0.23, 7.0.37, 7.0.11, 7.0.28, 7.0.35 (Show all)	Patch → NO_SAFE_VERSION
CVE-2013-2071	java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.	7.0.26, 7.0.30, 7.0.23, 7.0.11, 7.0.28, 7.0.32, 7.0.21, 7.0.14 (Show all)	Patch → NO_SAFE_VERSION
CVE-2013-2067	java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.	7.0.26, 7.0.30, 7.0.23, 7.0.11, 7.0.28, 7.0.32, 7.0.21, 7.0.14 (Show all)	Patch → NO_SAFE_VERSION
CVE-2012-5887	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.	7.0.26, 7.0.23, 7.0.11, 7.0.28, 7.0.21, 7.0.14, 7.0.5, 7.0.2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2012-5886	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.	7.0.26, 7.0.23, 7.0.11, 7.0.28, 7.0.21, 7.0.14, 7.0.5, 7.0.2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2012-5885	The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.	7.0.26, 7.0.23, 7.0.11, 7.0.28, 7.0.21, 7.0.14, 7.0.5, 7.0.2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2012-4431	org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.	7.0.26, 7.0.30, 7.0.23, 7.0.11, 7.0.28, 7.0.21, 7.0.14, 7.0.5 (Show all)	Patch → NO_SAFE_VERSION
CVE-2012-3546	org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.	7.0.26, 7.0.23, 7.0.11, 7.0.28, 7.0.21, 7.0.14, 7.0.5, 7.0.2 (Show all)	Patch → NO_SAFE_VERSION
CVE-2012-0022	Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.	7.0.11, 7.0.21, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.22, 7.0.20 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-5064	DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.	7.0.11, 7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-5063	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.	7.0.11, 7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-5062	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.	7.0.11, 7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-4858	Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.	7.0.11, 7.0.21, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.22, 7.0.20 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-3376	org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.	7.0.11, 7.0.21, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.20, 7.0.16 , 7.0.0, 7.0.4, 7.0.8, 7.0.12, 7.0.19 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-3375	Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.	7.0.11, 7.0.21, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.20, 7.0.16 , 7.0.0, 7.0.4, 7.0.8, 7.0.12, 7.0.19 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-2526	Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.	7.0.11, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.16, 7.0.0, 7.0.4 , 7.0.8, 7.0.12 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-2481	Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.	7.0.11, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.16, 7.0.0, 7.0.4 , 7.0.8, 7.0.12 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-2204	Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.	7.0.11, 7.0.14, 7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8 , 7.0.12 (Show all)	Patch → NO_SAFE_VERSION
CVE-2011-1582	Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.	7.0.12	Patch → NO_SAFE_VERSION
CVE-2011-1475	The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."	7.0.11, 7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-1419	Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.	7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-1184	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.	7.0.11, 7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-1183	Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.	7.0.11	Patch → NO_SAFE_VERSION
CVE-2011-1088	Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.	7.0.5, 7.0.2, 7.0.6, 7.0.0, 7.0.4, 7.0.8	Patch → NO_SAFE_VERSION
CVE-2011-0013	Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.	7.0.5, 7.0.2, 7.0.0, 7.0.4	Patch → NO_SAFE_VERSION
CVE-2010-4172	Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.	7.0.2, 7.0.0, 7.0.4	Patch → NO_SAFE_VERSION
CVE-2010-3718	Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.	7.0.2, 7.0.0	Patch → NO_SAFE_VERSION
CVE-2007-1358	Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".	10.1.34, 11.0.0-M1, 10.0.0-M1, 11.0.2, 9.0.98, 11.0.1, 10.1.33, 9.0.97 (Show all)	Patch → NO_SAFE_VERSION

Instantly see if these tomcat-catalina vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of tomcat-catalina affected by its vulnerabilities

Dependent Packages
org.apache.tomcat:tomcat-servlet-api:11.0.2
org.apache.tomcat:tomcat-jsp-api:11.0.2
org.apache.tomcat:tomcat-juli:11.0.2
org.apache.tomcat:tomcat-annotations-api:11.0.2
org.apache.tomcat:tomcat-api:11.0.2
org.apache.tomcat:tomcat-jni:11.0.2
org.apache.tomcat:tomcat-coyote:11.0.2
org.apache.tomcat:tomcat-util:11.0.2
org.apache.tomcat:tomcat-util-scan:11.0.2
org.apache.tomcat:tomcat-jaspic-api:11.0.2