Package impact

Maven / org.apache.tomcat:tomcat

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2016-0714	high	8.8	8.8	10y ago	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticat…
CVE-2015-5351	high	8.8	8.8	10y ago	The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, wh…	+1
CVE-2015-5346	high	8.1	8.1	10y ago	Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the sam…	+1
CVE-2026-29129	high	—	8.0	2mo ago	Apache Tomcat: Configured cipher preference order not preserved
CVE-2021-42340	high	—	8.0	4y ago	The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics f…
CVE-2020-13935	high	—	8.0	4y ago	The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could t…
CVE-2020-13934	high	—	8.0	4y ago	Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat
CVE-2014-0230	high	—	7.8	11y ago	Uncontrolled Resource Consumption in Apache Tomcat
CVE-2026-43513	high	7.5	7.5	16d ago	Apache Tomcat: LockOutRealm treats user names as case-sensitive
CVE-2026-41284	high	7.5	7.5	16d ago	Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
CVE-2026-34486	high	7.5	7.5	2mo ago	Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.5…
CVE-2025-55752	high	7.5	7.5	6mo ago	Important: tomcat security update	+2
CVE-2017-7675	high	7.5	7.5	9y ago	The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypa…
CVE-2016-6796	high	7.5	7.5	9y ago	Apache Tomcat vulnerable to SecurityManager bypass	+2
CVE-2016-6817	high	7.5	7.5	9y ago	The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of s…
CVE-2016-6797	high	7.5	7.5	9y ago	Incorrect Authorization in Apache Tomcat	+2
CVE-2017-5664	high	7.5	7.5	9y ago	The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwa…
CVE-2017-5650	high	7.5	7.5	9y ago	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting f…
CVE-2017-5647	high	7.5	7.5	9y ago	A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in…
CVE-2014-0050	high	—	7.5	12y ago	Commons FileUpload Denial of service vulnerability
CVE-2013-2185	high	—	7.5	13y ago	Deserialization of Untrusted Data in Apache Tomcat
CVE-2011-3190	high	—	7.5	15y ago	Apache Tomcat Allows Remote Attackers to Spoof AJP Requests
CVE-2026-42498	high	7.3	7.3	16d ago	Apache Tomcat - WebSocket authentication header exposure