Maven package

org.apache.tomcat/tomcat

pkg:maven/org.apache.tomcat/tomcat

Vulnerabilities (148)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2017-5647	Hig	7.5	>= 9.0.0.M1, < 9.0.0.M19	9.0.0.M19	Apr 17, 2017	A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous reque
CVE-2016-8747	Hig	7.5	>= 8.5.7, < 8.5.10	8.5.10	Mar 14, 2017	An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.
CVE-2016-0763	Med	6.3	>= 7.0.0, < 7.0.68	7.0.68	Feb 25, 2016	The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticate
CVE-2016-0714	Hig	8.8	>= 9.0.0.M1, < 9.0.0.M2	9.0.0.M2	Feb 25, 2016	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary co
CVE-2016-0706	Med	4.3	>= 9.0.0.M1, < 9.0.0.M2	9.0.0.M2	Feb 25, 2016	Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass int
CVE-2015-5351	Hig	8.8	< 7.0.68	7.0.68	Feb 25, 2016	The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a toke
CVE-2015-5346	Hig	8.1	>= 9.0.0.M1, < 9.0.0.M2	9.0.0.M2	Feb 25, 2016	Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leverag
CVE-2015-5345	Med	5.3	>= 9.0.0.M1, < 9.0.0.M2	9.0.0.M2	Feb 25, 2016	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that l
CVE-2015-5174	Med	4.3	>= 8.0.0-RC1, < 8.0.27	8.0.27	Feb 25, 2016	Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname
CVE-2014-7810		—	>= 6.0.0, < 6.0.44	6.0.44	Jun 7, 2015	The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager
CVE-2014-0230		—	>= 6.0.0, < 6.0.44	6.0.44	Jun 7, 2015	Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a seri
CVE-2014-0227		—	>= 6.0.0, < 6.0.42	6.0.42	Feb 16, 2015	java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request
CVE-2013-4444		—	>= 7.0, < 7.0.40	7.0.40	Sep 12, 2014	Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
CVE-2014-0119		—	< 6.0.40	6.0.40	May 31, 2014	Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XM
CVE-2014-0099		—	< 6.0.40	6.0.40	May 31, 2014	Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header
CVE-2014-0096		—	< 6.0.40	6.0.40	May 31, 2014	java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitra
CVE-2014-0075		—	< 6.0.40	6.0.40	May 31, 2014	Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed c
CVE-2014-0050		—	>= 8.0.0-RC1, < 8.0.3	8.0.3	Apr 1, 2014	MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit
CVE-2014-0033		—	>= 6.0.33, < 6.0.38	6.0.38	Feb 26, 2014	org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
CVE-2013-4590		—	< 6.0.39	6.0.39	Feb 26, 2014	Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, .jspx, .tagx, or *.tld XML document containing an external

CVE-2017-5647HigApr 17, 2017
affected >= 9.0.0.M1, < 9.0.0.M19fixed 9.0.0.M19
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous reque
CVE-2016-8747HigMar 14, 2017
affected >= 8.5.7, < 8.5.10fixed 8.5.10
An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.
CVE-2016-0763MedFeb 25, 2016
affected >= 7.0.0, < 7.0.68fixed 7.0.68
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticate
CVE-2016-0714HigFeb 25, 2016
affected >= 9.0.0.M1, < 9.0.0.M2fixed 9.0.0.M2
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary co
CVE-2016-0706MedFeb 25, 2016
affected >= 9.0.0.M1, < 9.0.0.M2fixed 9.0.0.M2
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass int
CVE-2015-5351HigFeb 25, 2016
affected < 7.0.68fixed 7.0.68
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a toke
CVE-2015-5346HigFeb 25, 2016
affected >= 9.0.0.M1, < 9.0.0.M2fixed 9.0.0.M2
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leverag
CVE-2015-5345MedFeb 25, 2016
affected >= 9.0.0.M1, < 9.0.0.M2fixed 9.0.0.M2
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that l
CVE-2015-5174MedFeb 25, 2016
affected >= 8.0.0-RC1, < 8.0.27fixed 8.0.27
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname
CVE-2014-7810Jun 7, 2015
affected >= 6.0.0, < 6.0.44fixed 6.0.44
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager
CVE-2014-0230Jun 7, 2015
affected >= 6.0.0, < 6.0.44fixed 6.0.44
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a seri
CVE-2014-0227Feb 16, 2015
affected >= 6.0.0, < 6.0.42fixed 6.0.42
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request
CVE-2013-4444Sep 12, 2014
affected >= 7.0, < 7.0.40fixed 7.0.40
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
CVE-2014-0119May 31, 2014
affected < 6.0.40fixed 6.0.40
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XM
CVE-2014-0099May 31, 2014
affected < 6.0.40fixed 6.0.40
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header
CVE-2014-0096May 31, 2014
affected < 6.0.40fixed 6.0.40
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitra
CVE-2014-0075May 31, 2014
affected < 6.0.40fixed 6.0.40
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed c
CVE-2014-0050Apr 1, 2014
affected >= 8.0.0-RC1, < 8.0.3fixed 8.0.3
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit
CVE-2014-0033Feb 26, 2014
affected >= 6.0.33, < 6.0.38fixed 6.0.38
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
CVE-2013-4590Feb 26, 2014
affected < 6.0.39fixed 6.0.39
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external

Page 3 of 8