VIR Vulnerability Intelligence Relay

Package impact

java Maven / org.apache.tomcat:tomcat

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2009-3555 critical 9.8 10.0 17y ago The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9… debianubuntufedorajava+2
CVE-2026-43512 critical 9.8 9.8 16d ago Apache Tomcat - Digest authenticator will authenticate any unknown user susedebianjavaapache
CVE-2026-41293 critical 9.8 9.8 16d ago Apache Tomcat - HTTP/2 request headers not validated susedebianjavaapache
CVE-2025-55754 critical 9.6 9.6 9d ago Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences redhatsusedebianjava+1
CVE-2026-29145 critical 9.5 2mo ago Apache Tomcat: CLIENT_CERT authentication does not fail as expected susedebianjava
CVE-2026-43515 critical 9.1 9.1 16d ago Apache Tomcat - Security constraints not correctly applied susedebianjavaapache
CVE-2016-0714 high 8.8 8.8 10y ago The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticat… debianubuntujavaapache
CVE-2015-5351 high 8.8 8.8 10y ago The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, wh… susedebianubuntujava+1
CVE-2015-5346 high 8.1 8.1 10y ago Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the sam… susedebianubuntujava+1
CVE-2026-29129 high 8.0 2mo ago Apache Tomcat: Configured cipher preference order not preserved susedebianjava
CVE-2021-42340 high 8.0 4y ago The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics f… redhatarchdebianjava
CVE-2020-13935 high 8.0 4y ago The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could t… archsusedebianjava
CVE-2020-13934 high 8.0 4y ago Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat archsusedebianjava
CVE-2014-0230 high 7.8 11y ago Uncontrolled Resource Consumption in Apache Tomcat javaapache
CVE-2026-43513 high 7.5 7.5 16d ago Apache Tomcat: LockOutRealm treats user names as case-sensitive susedebianjavaapache
CVE-2026-41284 high 7.5 7.5 16d ago Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling susedebianjavaapache
CVE-2026-34486 high 7.5 7.5 2mo ago Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.5… susedebianjavaapache
CVE-2025-55752 high 7.5 7.5 6mo ago Important: tomcat security update rockylinuxredhatsusedebian+2
CVE-2017-7675 high 7.5 7.5 9y ago The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypa… susedebianjavaapache
CVE-2016-6796 high 7.5 7.5 9y ago Apache Tomcat vulnerable to SecurityManager bypass susedebianredhatubuntu+2
CVE-2016-6817 high 7.5 7.5 9y ago The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of s… debianjavaapache
CVE-2016-6797 high 7.5 7.5 9y ago Incorrect Authorization in Apache Tomcat susedebianredhatubuntu+2
CVE-2017-5664 high 7.5 7.5 9y ago The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwa… susedebianjavaapache
CVE-2017-5650 high 7.5 7.5 9y ago In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting f… debianjavaapache
CVE-2017-5647 high 7.5 7.5 9y ago A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in… susedebianjavaapache
CVE-2014-0050 high 7.5 12y ago Commons FileUpload Denial of service vulnerability debianjavaapache
CVE-2013-2185 high 7.5 13y ago Deserialization of Untrusted Data in Apache Tomcat javaapache
CVE-2011-3190 high 7.5 15y ago Apache Tomcat Allows Remote Attackers to Spoof AJP Requests javaapache
CVE-2026-42498 high 7.3 7.3 16d ago Apache Tomcat - WebSocket authentication header exposure susedebianjavaapache
CVE-2026-43514 low 3.7 3.7 16d ago Apache Tomcat - AJP secret compared in non-constant time susedebianjavaapache
CVE-2013-2071 low 2.6 13y ago Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat javaapache
CVE-2010-1157 low 2.6 16y ago Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat javaapache
CVE-2024-54677 low 2.5 2y ago Apache Tomcat Uncontrolled Resource Consumption vulnerability susedebianjava
CVE-2011-2204 low 1.9 15y ago Insertion of Sensitive Information into Log File in Apache Tomcat javaapache
CVE-2010-3718 low 1.2 16y ago Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat javaapache