Releases531
Frequency1 week 4 days
Last Release
Stars8.2K
Apache Tomcat

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
< 9.0.101, >= 10.1.0, < 10.1.37, >= 11.0.0, < 11.0.57.3 HIGH

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

< 9.0.119, >= 10.1.0, < 10.1.56, >= 11.0.0, < 11.0.236.5 MEDIUM

Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

< 9.0.19, >= 10.1.0, < 10.1.56, >= 11.0.0, < 11.0.236.5 MEDIUM

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.

< 9.0.119, >= 10.1.0, < 10.1.56, >= 11.0.0, < 11.0.239.1 CRITICAL

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

<= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.119, >= 10.1.0, < 10.1.56, >= 11.0.0, < 11.0.236.1 MEDIUM

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

>= 9.0.83, < 9.0.119, >= 10.1.0, < 10.1.56, >= 11.0.0, < 11.0.239.1 CRITICAL

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.

>= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.119, >= 10.1.0, < 10.1.56, >= 11.0.0, < 11.0.237.3 HIGH

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

>= 7.0.0, <= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.229.1 CRITICAL

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

>= 7.0.0, <= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.223.7 LOW

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

>= 7.0.0, <= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.227.5 HIGH

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

>= 7.0.0, <= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.229.8 CRITICAL

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

>= 7.0.0, <= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.227.3 HIGH

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

>= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.0.0, <= 10.0.27, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.229.8 CRITICAL

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

>= 4.0.0, <= 7.0.109, >= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.118, >= 10.0.0, <= 10.0.27, >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.227.5 HIGH

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

= 9.0.116, = 10.1.53, = 11.0.207.5 HIGH

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

>= 9.0.92, < 9.0.117, >= 10.1.22, < 10.1.54, >= 11.0.1, < 11.0.21, = 11.0.06.5 MEDIUM

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

>= 9.0.13, < 9.0.117, >= 10.1.0, < 10.1.54, >= 11.0.0, < 11.0.217.5 HIGH

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

>= 9.0.114, < 9.0.116, >= 10.1.51, < 10.1.53, >= 11.0.16, < 11.0.207.5 HIGH

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

>= 9.0.0, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.207.5 HIGH

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

>= 9.0.113, < 9.0.116, >= 10.1.50, < 10.1.53, >= 11.0.15, < 11.0.205.3 MEDIUM

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

>= 7.0.100, <= 7.0.109, >= 8.5.38, <= 8.5.100, >= 9.0.13, < 9.0.116, >= 10.0.0, < 10.1.53, >= 11.0.0, < 11.0.207.5 HIGH

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

>= 9.0.83, < 9.0.116, >= 10.1.1, < 10.1.53, >= 11.0.0, < 11.0.20, = 10.1.09.1 CRITICAL

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

>= 9.0.40, < 9.0.117, >= 10.1.0, < 10.1.54, >= 11.0.0, < 11.0.217.5 HIGH

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

>= 9.0.1, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20, = 9.0.06.1 MEDIUM

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

>= 9.0.83, < 9.0.115, >= 10.1.1, < 10.1.52, >= 11.0.1, < 11.0.18, = 10.1.0, = 11.0.07.5 HIGH

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

>= 9.0.1, < 9.0.113, >= 10.1.1, < 10.1.50, >= 11.0.1, < 11.0.15, = 9.0.0, = 10.0.0, = 11.0.03.7 LOW

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.

>= 9.0.1, < 9.0.113, >= 10.1.1, < 10.1.50, >= 11.0.1, < 11.0.15, = 9.0.0, = 10.1.0, = 11.0.09.1 CRITICAL

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

>= 8.5.0, <= 8.5.100, >= 9.0.0, < 9.0.110, >= 10.0.0, < 10.0.27, >= 10.1.0, < 10.1.47, >= 11.0.0, < 11.0.125.3 MEDIUM

Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.

>= 8.5.60, <= 8.5.100, >= 9.0.40, < 9.0.109, >= 10.0.0, < 10.0.27, >= 10.1.0, < 10.1.45, >= 11.0.0, < 11.0.119.6 CRITICAL

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

>= 8.5.6, <= 8.5.100, >= 9.0.1, < 9.0.109, >= 10.0.0, < 10.0.27, >= 10.1.0, < 10.1.45, >= 11.0.0, < 11.0.11, = 9.0.07.5 HIGH

Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

= 9.0.0, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8, >= 9.0.1, < 9.0.1066.5 MEDIUM

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

= 9.0.0, >= 10.0.0, < 10.1.44, >= 11.0.0, < 11.0.10, >= 9.0.1, < 9.0.1087.5 HIGH

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

>= 10.1.0, <= 10.1.42, >= 11.0.0, <= 11.0.8, >= 9.0.0, <= 9.0.1067.5 HIGH

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

>= 9.0.0, < 9.0.1077.5 HIGH

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

>= 9.0.0, < 9.0.107, >= 10.1.0, < 10.1.43, >= 11.0.0, < 11.0.97.5 HIGH

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

>= 10.1.0, < 10.1.42, >= 11.0.0, < 11.0.8, >= 9.0.0, < 9.0.1067.5 HIGH

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

>= 10.1.0, < 10.1.42, >= 11.0.0, < 11.0.8, >= 9.0.0, < 9.0.1067.5 HIGH

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

>= 10.1.0, < 10.1.42, >= 11.0.0, < 11.0.8, >= 9.0.23, < 9.0.1068.4 HIGH

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

>= 10.1.0, < 10.1.41, >= 11.0.0, < 11.0.7, >= 9.0.0, < 9.0.1057.3 HIGH

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

>= 10.1.0, < 10.1.40, >= 11.0.0, < 11.0.6, >= 9.0.0, < 9.0.1049.8 CRITICAL

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

= 11.0.0, >= 9.0.76, < 9.0.104, >= 10.1.10, < 10.1.40, >= 11.0.1, < 11.0.67.5 HIGH

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

= 9.0.0, = 10.1.0, = *, >= 10.1.1, < 10.1.35, = 11.0.0, >= 11.0.1, < 11.0.3, < 9.0.999.8 CRITICAL

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

>= 10.1.0, < 10.1.34, >= 11.0.0, < 11.0.2, >= 9.0.0, < 9.0.989.8 CRITICAL

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

>= 10.1.0, < 10.1.34, >= 11.0.0, < 11.0.2, >= 9.0.0, < 9.0.989.8 CRITICAL

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

>= 10.1.0, < 10.1.34, >= 11.0.0, < 11.0.2, >= 9.0.0, < 9.0.985.3 MEDIUM

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

= 10.1.31, = 11.0.0, = 9.0.966.1 MEDIUM

Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.

= 11.0.0, >= 9.0.0, < 9.0.96, >= 10.1.0, < 10.1.319.8 CRITICAL

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

= 11.0.0, >= 10.1.27, < 10.1.31, >= 9.0.92, < 9.0.966.5 MEDIUM

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

= 10.1.0, = 11.0.0, >= 10.1.1, < 10.1.25, >= 9.0.13, < 9.0.908.6 HIGH

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

= 11.0.0, >= 9.0.0, < 9.0.90, >= 10.1.0, < 10.1.257.5 HIGH

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

= 11.0.0, >= 8.5.0, < 8.5.99, >= 10.1.0, < 10.1.19, >= 9.0.0, < 9.0.867.5 HIGH

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

= 11.0.0, >= 8.5.0, < 8.5.99, >= 10.1.0, < 10.1.19, >= 9.0.0, < 9.0.866.3 MEDIUM

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

= 9.0.0, >= 9.0.1, < 9.0.44, >= 8.5.7, < 8.5.645.3 MEDIUM

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

= 11.0.0, >= 10.1.0, < 10.1.16, >= 9.0.0, < 9.0.83, >= 8.5.0, < 8.5.967.5 HIGH

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

= 9.0.0, = 10.1.0, = 11.0.0, >= 10.1.1, < 10.1.14, >= 8.5.0, < 8.5.94, >= 9.0.1, < 9.0.815.3 MEDIUM

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

= 9.0.0, = 10.1.0, = 11.0.0, >= 10.1.1, < 10.1.14, >= 8.5.0, < 8.5.94, >= 9.0.1, < 9.0.815.3 MEDIUM

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

>= 8.5.85, < 8.5.94, >= 9.0.70, < 9.0.815.9 MEDIUM

Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

= 11.0.0, >= 9.0.0, <= 9.0.80, >= 8.5.0, <= 8.5.93, >= 10.1.0, <= 10.1.137.5 HIGH

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

= 11.0.0, >= 10.1.0, <= 10.1.12, >= 8.5.0, <= 8.5.92, >= 9.0.0, <= 9.0.796.1 MEDIUM

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.

= 10.1.8, = 9.0.74, = 8.5.88, = 11.0.07.5 HIGH

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

= 11.0.0, >= 10.1.5, <= 10.1.7, >= 9.0.71, <= 9.0.73, >= 8.5.85, <= 8.5.877.5 HIGH

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

= 11.0.0, > 10.1.0, < 10.1.6, > 9.0.0, < 9.0.72, >= 8.5.0, < 8.5.864.3 MEDIUM

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

= 10.1.0, = 10.1.1, >= 9.0.40, < 9.0.69, = 8.5.837.5 HIGH

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

>= 10.1.0, < 10.1.1, >= 10.0.0, < 10.0.27, >= 9.0.0, < 9.0.68, = *, >= 8.5.0, < 8.5.837.5 HIGH

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

= 10.1.0, >= 8.5.0, <= 8.5.77, >= 9.0.0, <= 9.0.60, >= 10.0.0, <= 10.0.183.7 LOW

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

= 10.1.0, >= 10.0.0, <= 10.0.22, >= 8.5.50, <= 8.5.81, >= 9.0.30, <= 9.0.646.1 MEDIUM4.3 MEDIUM

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

>= 9.0.0, < 9.0.21, >= 8.5.0, < 8.5.768.6 HIGH7.5 HIGH

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

= 10.1.0, >= 10.0.0, <= 10.0.20, >= 9.0.13, <= 9.0.62, >= 8.5.38, <= 8.5.787.5 HIGH5 MEDIUM

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

= 10.0.0, = 10.1.0, >= 8.5.55, <= 8.5.73, >= 9.0.35, <= 9.0.56, >= 10.0.1, <= 10.0.147 HIGH3.7 LOW

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

= 10.0.0, = 10.1.0, >= 10.0.1, < 10.0.12, >= 8.5.60, < 8.5.72, >= 9.0.40, < 9.0.547.5 HIGH5 MEDIUM

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

>= 10.0.0, <= 10.0.2, >= 9.0.0, < 9.0.44, >= 8.5.0, < 8.5.647.5 HIGH4.3 MEDIUM

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

> 9.0.0, <= 9.0.46, > 10.0.0, <= 10.0.6, >= 8.5.0, <= 8.5.665.3 MEDIUM5 MEDIUM

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

>= 10.0.0, < 10.0.6, >= 9.0.0, < 9.0.46, >= 7.0.0, < 7.0.109, >= 8.5.0, < 8.5.666.5 MEDIUM5.8 MEDIUM

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

= 10.0.4, = 9.0.44, = 10.0.3, = 8.5.647.5 HIGH5 MEDIUM

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

= 9.0.0, = 10.0.0, >= 7.0.0, <= 7.0.107, >= 8.5.0, <= 8.5.61, >= 9.0.0, <= 9.0.417 HIGH4.4 MEDIUM

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

= 9.0.0, = 10.0.0, >= 8.5.0, <= 8.5.61, >= 9.0.0, <= 9.0.417.5 HIGH5 MEDIUM

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

= 9.0.0, >= 7.0.0, <= 7.0.106, >= 8.5.0, <= 8.5.59, >= 9.0.1, <= 9.0.39, = 10.0.05.9 MEDIUM4.3 MEDIUM

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

= 9.0.0, = 10.0.0, >= 8.5.1, <= 8.5.59, >= 9.0.1, <= 9.0.35, = 9.0.35-3.39.1, = 9.0.35-3.57.3, = 9.0.36, = 9.0.37, = 9.0.38, = 9.0.397.5 HIGH5 MEDIUM

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

= 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.15, = 8.5.10, = 8.5.13, = 8.5.14, = 8.5.5, = 8.5.1, = 8.5.3, = 8.5.6, = 8.5.7, = 8.5.8, = 8.5.11, = 8.5.12, = 8.5.16, = 8.5.17, = 8.5.18, = 8.5.19, = 8.5.20, = 8.5.21, = 8.5.22, = 9.0.1, = 9.0.2, = 9.0.3, = 9.0.4, = 9.0.0, = 9.0.5, = 9.0.6, = 9.0.7, = 9.0.8, = 9.0.9, = 9.0.10, = 9.0.11, = 10.0.0, = 8.5.23, = 8.5.24, = 8.5.25, = 8.5.26, = 8.5.27, = 8.5.28, = 8.5.29, = 8.5.30, = 8.5.31, = 8.5.32, = 8.5.33, = 8.5.34, = 8.5.35, = 8.5.36, = 8.5.37, = 8.5.38, = 8.5.39, = 8.5.40, = 8.5.41, = 8.5.42, = 8.5.43, = 8.5.44, = 8.5.45, = 8.5.46, = 8.5.47, = 8.5.48, = 8.5.49, = 8.5.50, = 8.5.51, = 8.5.52, = 8.5.53, = 8.5.54, = 8.5.55, = 8.5.56, = 8.5.57, = 9.0.12, = 9.0.13, = 9.0.14, = 9.0.15, = 9.0.16, = 9.0.17, = 9.0.18, = 9.0.19, = 9.0.20, = 9.0.21, = 9.0.22, = 9.0.23, = 9.0.24, = 9.0.25, = 9.0.26, = 9.0.27, = 9.0.28, = 9.0.29, = 9.0.30, = 9.0.31, = 9.0.32, = 9.0.33, = 9.0.34, = 9.0.35, = 9.0.36, = 9.0.374.3 MEDIUM4 MEDIUM

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

= 9.0.0, >= 7.0.27, <= 7.0.104, >= 8.5.0, <= 8.5.56, >= 9.0.1, <= 9.0.36, = 10.0.07.5 HIGH5 MEDIUM

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

= 9.0.0, = 10.0.0, >= 8.5.1, <= 8.5.56, >= 9.0.1, <= 9.0.367.5 HIGH5 MEDIUM

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

< 8.0.53-29.32.1, < 9.0.35-3.39.1, < 9.0.35-3.57.37.7 HIGH7.2 HIGH

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

= 9.0.0, >= 8.5.0, <= 8.5.55, >= 9.0.0, <= 9.0.35, = 10.0.07.5 HIGH5 MEDIUM

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

= 9.0.0, = 10.0.0, >= 7.0.0, < 7.0.108, >= 8.5.0, < 8.5.63, >= 9.0.1, < 9.0.437 HIGH4.4 MEDIUM

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

= *, >= 9.0.0, < 9.0.31, >= 7.0.0, < 7.0.100, >= 8.5.0, < 8.5.519.8 CRITICAL7.5 HIGH

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

= 9.0.0, >= 7.0.0, <= 7.0.99, >= 8.5.0, <= 8.5.50, >= 9.0.0, <= 9.0.304.8 MEDIUM5.8 MEDIUM

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

>= 8.5.48, <= 8.5.50, >= 7.0.98, <= 7.0.99, >= 9.0.28, <= 9.0.304.8 MEDIUM5.8 MEDIUM

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

>= 7.0.0, <= 7.0.97, >= 8.5.0, <= 8.5.47, >= 9.0.0, <= 9.0.287 HIGH4.4 MEDIUM

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

>= 7.0.0, <= 7.0.98, >= 8.5.0, <= 8.5.49, >= 9.0.0, <= 9.0.297.5 HIGH5.1 MEDIUM

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

= 9.0.0, >= 8.5.0, <= 8.5.40, >= 9.0.1, <= 9.0.195 MEDIUM

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

= 9.0.0, >= 9.0.1, <= 9.0.17, >= 8.5.0, <= 8.5.39, >= 7.0.0, <= 7.0.934.3 MEDIUM

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

>= 7.0.0, <= 7.0.97, >= 8.5.0, <= 8.5.47, = 9.0.0, >= 9.0.1, <= 9.0.285.9 MEDIUM4.3 MEDIUM

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

>= 7.0.0, <= 7.0.93, >= 8.5.0, <= 8.5.39, >= 9.0.1, <= 9.0.17, = 9.0.09.3 HIGH

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

= 9.0.0, >= 9.0.1, <= 9.0.14, >= 8.5.0, <= 8.5.375 MEDIUM

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

= 9.0.0, >= 8.5.0, <= 8.5.33, >= 9.0.1, <= 9.0.11, >= 7.0.23, <= 7.0.904.3 MEDIUM

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

= 9.0.0, = 8.0.0, >= 7.0.28, <= 7.0.86, >= 8.0.0, <= 8.0.51, >= 8.5.0, <= 8.5.30, >= 9.0.1, <= 9.0.77.5 HIGH5 MEDIUM

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

= 9.0.0, >= 9.0.1, <= 9.0.9, >= 8.5.5, <= 8.5.314.3 MEDIUM

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

= 9.0.0, = 8.0.0, >= 8.5.0, <= 8.5.31, >= 8.0.0, <= 8.0.52, >= 7.0.35, <= 7.0.88, >= 9.0.1, <= 9.0.97.5 HIGH5 MEDIUM

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

= 9.0.0, = 8.0.0, >= 8.0.0, <= 8.0.52, >= 9.0.0, <= 9.0.8, >= 8.5.0, <= 8.5.31, >= 7.0.41, <= 7.0.887.5 HIGH

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

= 9.0.0, = 8.0.0, >= 8.5.0, <= 8.5.27, >= 9.0.0, <= 9.0.4, >= 8.0.0, <= 8.0.49, >= 7.0.0, <= 7.0.844.3 MEDIUM

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

>= 7.0.0, <= 7.0.84, = 8.0.0, >= 8.0.0, <= 8.0.49, = 9.0.0, = 9.0.1, = 9.0.2, = 9.0.4, = 9.0.3, >= 8.5.0, <= 8.5.274 MEDIUM

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

= 9.0.0, >= 7.0.79, <= 7.0.82, >= 8.5.16, <= 8.5.23, = 9.0.1, >= 8.0.45, <= 8.0.475 MEDIUM

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

= 7.0.2, = 8.0.4, = 9.0.0, = 8.0.10, = 7.0.49, = 8.0.30, = 8.0.44, = 7.0.12, = 7.0.62, = 8.5.2, = 8.5.9, = 7.0.4, = 7.0.5, = 7.0.20, = 7.0.55, = 8.0.7, = 8.0.40, = 7.0.8, = 8.0.17, = 8.0.26, = 7.0.34, = 7.0.51, = 8.5.4, = 8.0.2, = 7.0.1, = 7.0.58, = 8.5.10, = 8.0.1, = 8.0.12, = 8.0.19, = 8.0.20, = 7.0.11, = 7.0.28, = 7.0.46, = 7.0.63, = 7.0.72, = 8.0.15, = 7.0.50, = 7.0.59, = 7.0.67, = 7.0.76, = 8.5.0, = 8.5.15, = 8.0.0, = 8.0.27, = 7.0.18, = 7.0.26, = 7.0.71, = 8.0.31, = 8.0.39, = 7.0.0, = 7.0.6, = 7.0.14, = 7.0.22, = 7.0.39, = 7.0.48, = 7.0.65, = 8.0.11, = 8.0.29, = 8.0.36, = 7.0.19, = 7.0.29, = 7.0.36, = 7.0.37, = 7.0.45, = 7.0.81, = 8.5.5, = 8.5.6, = 8.5.13, = 8.5.14, = 8.0.6, = 8.0.23, = 8.0.24, = 8.0.25, = 8.0.32, = 8.0.33, = 8.0.41, = 7.0.7, = 7.0.15, = 7.0.16, = 7.0.25, = 7.0.32, = 7.0.41, = 7.0.60, = 7.0.68, = 8.0.9, = 8.0.18, = 8.0.35, = 8.0.42, = 7.0.10, = 7.0.35, = 7.0.42, = 7.0.43, = 7.0.44, = 7.0.54, = 7.0.61, = 7.0.69, = 7.0.79, = 7.0.80, = 8.5.3, = 8.0.13, = 8.0.14, = 8.0.21, = 8.0.22, = 8.0.38, = 7.0.13, = 7.0.23, = 7.0.30, = 7.0.31, = 7.0.38, = 7.0.47, = 7.0.57, = 7.0.66, = 7.0.74, = 7.0.75, = 8.5.1, = 8.5.17, = 8.5.18, = 8.0.28, = 8.0.37, = 8.0.45, = 7.0.21, = 7.0.56, = 7.0.64, = 7.0.73, = 8.5.21, = 8.5.22, = 8.0.16, = 7.0.24, = 7.0.33, = 7.0.40, = 7.0.77, = 8.5.7, = 8.5.8, = 8.5.16, = 8.0.34, = 8.0.43, = 7.0.3, = 7.0.9, = 7.0.17, = 7.0.27, = 7.0.70, = 8.5.11, = 8.5.12, = 8.5.19, = 8.5.20, = 8.0.46, >= 7.0.0, < 7.0.82, >= 8.0, < 8.0.47, >= 8.5.0, < 8.5.23, >= 9.0.0, < 9.0.18.1 HIGH6.8 MEDIUM

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

>= 7.0.0, <= 7.0.798.1 HIGH6.8 MEDIUM

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

= 7.0.2, = 7.0.49, = 7.0.12, = 7.0.62, = 7.0.20, = 7.0.34, = 7.0.58, = 7.0.8, = 7.0.55, = 7.0.0, = 7.0.4, = 7.0.5, = 7.0.28, = 7.0.46, = 7.0.63, = 7.0.1, = 7.0.22, = 7.0.39, = 7.0.50, = 7.0.59, = 7.0.76, = 7.0.26, = 7.0.51, = 7.0.71, = 7.0.72, = 7.0.65, = 7.0.11, = 7.0.29, = 7.0.36, = 7.0.37, = 7.0.45, = 7.0.6, = 7.0.13, = 7.0.14, = 7.0.23, = 7.0.30, = 7.0.31, = 7.0.47, = 7.0.48, = 7.0.7, = 7.0.15, = 7.0.16, = 7.0.25, = 7.0.41, = 7.0.42, = 7.0.60, = 7.0.67, = 7.0.68, = 7.0.69, = 7.0.10, = 7.0.18, = 7.0.19, = 7.0.35, = 7.0.44, = 7.0.54, = 7.0.61, = 7.0.80, = 7.0.66, = 7.0.74, = 7.0.75, = 7.0.21, = 7.0.56, = 7.0.38, = 7.0.57, = 7.0.24, = 7.0.32, = 7.0.33, = 7.0.40, = 7.0.77, = 7.0.3, = 7.0.9, = 7.0.17, = 7.0.27, = 7.0.43, = 7.0.70, = 7.0.79, = 7.0.64, = 7.0.735 MEDIUM

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

= 7.0.41, = 7.0.42, = 7.0.43, = 7.0.44, = 7.0.45, = 7.0.46, = 7.0.47, = 7.0.48, = 7.0.49, = 7.0.50, = 7.0.51, = 7.0.54, = 7.0.55, = 7.0.56, = 7.0.57, = 7.0.58, = 7.0.59, = 7.0.60, = 7.0.61, = 7.0.62, = 7.0.63, = 7.0.64, = 7.0.65, = 7.0.66, = 7.0.67, = 7.0.68, = 7.0.69, = 7.0.70, = 7.0.71, = 7.0.72, = 7.0.73, = 7.0.74, = 7.0.75, = 7.0.76, = 7.0.77, = 7.0.78, = 7.0.79, = 7.0.80, = 7.0.815 MEDIUM

Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.

= 7.0.41, = 7.0.42, = 7.0.43, = 7.0.44, = 7.0.45, = 7.0.46, = 7.0.47, = 7.0.48, = 7.0.49, = 7.0.50, = 7.0.51, = 7.0.54, = 7.0.55, = 7.0.56, = 7.0.57, = 7.0.58, = 7.0.59, = 7.0.60, = 7.0.61, = 7.0.62, = 7.0.63, = 7.0.64, = 7.0.65, = 7.0.66, = 7.0.67, = 7.0.68, = 7.0.69, = 7.0.70, = 7.0.71, = 7.0.72, = 7.0.73, = 7.0.74, = 7.0.75, = 7.0.76, = 7.0.77, = 7.0.78, = 7.0.79, = 7.0.80, = 7.0.815 MEDIUM

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

= 9.0.0, = 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.15, = 8.5.6, = 8.5.3, = 8.5.10, = 8.5.5, = 8.5.13, = 8.5.14, = 8.5.7, = 8.5.11, = 8.5.12, = 8.5.1, = 8.5.85 MEDIUM

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

= 8.0.4, = 9.0.0, = 8.0.10, = 7.0.49, = 8.0.30, = 8.0.44, = 7.0.62, = 8.0.17, = 7.0.53, = 7.0.78, = 7.0.58, = 8.0.26, = 8.0.40, = 7.0.46, = 7.0.55, = 7.0.63, = 8.5.0, = 8.5.2, = 8.5.9, = 7.0.72, = 8.0.2, = 8.0.20, = 8.0.7, = 8.0.31, = 8.5.4, = 8.5.15, = 7.0.42, = 7.0.50, = 7.0.59, = 7.0.67, = 8.0, = 8.0.1, = 7.0.74, = 8.0.0, = 8.0.5, = 8.0.12, = 8.0.22, = 8.0.29, = 8.5.10, = 8.0.39, = 7.0.71, = 7.0.44, = 7.0.52, = 7.0.69, = 8.0.19, = 8.0.27, = 8.5.13, = 8.5.14, = 8.0.42, = 7.0.76, = 7.0.48, = 7.0.65, = 7.0.66, = 8.0.15, = 8.5.6, = 8.5.7, = 8.0.37, = 7.0.77, = 7.0.41, = 7.0.68, = 8.0.8, = 8.0.9, = 8.0.18, = 8.0.25, = 8.0.33, = 8.0.34, = 8.5.11, = 8.5.12, = 8.0.41, = 7.0.73, = 7.0.45, = 7.0.54, = 8.0.13, = 8.0.14, = 8.0.21, = 8.5.1, = 8.5.8, = 8.0.38, = 7.0.43, = 7.0.60, = 7.0.61, = 7.0.70, = 8.0.3, = 8.0.11, = 8.0.28, = 8.0.35, = 8.0.36, = 8.5.5, = 8.0.43, = 7.0.75, = 7.0.47, = 7.0.56, = 7.0.57, = 7.0.64, = 8.0.6, = 8.0.16, = 8.0.23, = 8.0.24, = 8.0.32, = 8.5.34.3 MEDIUM

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

= 9.0.0, >= 6.0.0, <= 6.0.45, >= 7.0.0, <= 7.0.70, >= 8.0, <= 8.0.36, >= 8.5.0, <= 8.5.47.5 HIGH5 MEDIUM

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

= 9.0.0, >= 6.0.0, <= 6.0.45, >= 7.0.0, <= 7.0.70, >= 8.0, <= 8.0.36, >= 8.5.0, <= 8.5.47.5 HIGH5 MEDIUM

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

= 8.0.4, = 8.0.10, = 7.0.49, = 8.0.30, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.22, = 7.0.8, = 7.0.55, = 7.0.63, = 8.0.2, = 8.5.4, = 7.0.1, = 7.0.58, = 8.0.20, = 7.0.5, = 8.0.26, = 8.5.2, = 9.0.0, = 7.0.2, = 8.0.7, = 8.0.31, = 8.5.0, = 7.0.23, = 7.0.11, = 7.0.18, = 7.0.46, = 7.0.71, = 7.0.72, = 8.0.1, = 8.0.19, = 8.0.27, = 7.0.0, = 7.0.48, = 7.0.65, = 7.0.66, = 8.0, = 8.0.5, = 8.0.12, = 8.0.29, = 7.0.28, = 7.0.6, = 7.0.44, = 7.0.69, = 8.0.0, = 7.0.39, = 7.0.26, = 7.0.14, = 7.0.50, = 7.0.59, = 7.0.67, = 8.0.15, = 8.0.22, = 8.0.39, = 7.0.30, = 7.0.19, = 7.0.7, = 7.0.45, = 7.0.54, = 7.0.64, = 8.0.3, = 8.0.11, = 8.0.18, = 8.0.28, = 8.0.35, = 8.0.36, = 8.5.3, = 7.0.35, = 7.0.36, = 7.0.24, = 7.0.25, = 7.0.13, = 7.0.9, = 7.0.47, = 7.0.56, = 7.0.57, = 8.0.13, = 8.0.21, = 8.0.37, = 8.0.38, = 8.5.5, = 8.5.6, = 7.0.31, = 7.0.32, = 7.0.40, = 7.0.21, = 7.0.29, = 7.0.16, = 7.0.17, = 7.0.43, = 7.0.52, = 7.0.61, = 7.0.70, = 8.0.8, = 8.0.9, = 8.0.16, = 8.0.24, = 8.0.25, = 8.0.33, = 8.0.34, = 7.0.37, = 7.0.38, = 7.0.27, = 7.0.15, = 7.0.3, = 7.0.4, = 7.0.41, = 7.0.42, = 7.0.60, = 7.0.68, = 8.0.6, = 8.0.14, = 8.0.23, = 8.0.32, = 8.5.7, = 8.5.8, = 7.0.33, = 7.0.73, = 8.5.15 MEDIUM

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

= 8.5.2, = 8.5.4, = 9.0.0, = 8.5.0, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.17.5 HIGH5 MEDIUM

The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.

= 9.0.0, >= 6.0.0, <= 6.0.45, >= 7.0.0, <= 7.0.70, >= 8.0, <= 8.0.36, >= 8.5.0, <= 8.5.49.1 CRITICAL6.4 MEDIUM

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

= 9.0.0, >= 6.0.0, <= 6.0.45, >= 7.0.0, <= 7.0.70, >= 8.0, <= 8.0.36, >= 8.5.0, <= 8.5.45.9 MEDIUM4.3 MEDIUM

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

= 9.0.0, >= 6.0.0, <= 6.0.45, >= 7.0.0, <= 7.0.70, >= 8.0, <= 8.0.36, >= 8.5.0, <= 8.5.45.3 MEDIUM5 MEDIUM

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

= 7.0.2, = 7.0.49, = 7.0.12, = 7.0.62, = 7.0.20, = 7.0.34, = 7.0.58, = 7.0.8, = 7.0.55, = 7.0.4, = 7.0.28, = 7.0.63, = 7.0.71, = 7.0.72, = 7.0.1, = 7.0.39, = 7.0.59, = 7.0.76, = 7.0.26, = 7.0.50, = 7.0.51, = 7.0.0, = 7.0.5, = 7.0.22, = 7.0.46, = 7.0.65, = 7.0.10, = 7.0.11, = 7.0.18, = 7.0.19, = 7.0.35, = 7.0.36, = 7.0.44, = 7.0.45, = 7.0.54, = 7.0.6, = 7.0.7, = 7.0.14, = 7.0.15, = 7.0.23, = 7.0.31, = 7.0.48, = 7.0.66, = 7.0.67, = 7.0.75, = 7.0.16, = 7.0.25, = 7.0.41, = 7.0.42, = 7.0.60, = 7.0.61, = 7.0.68, = 7.0.69, = 7.0.13, = 7.0.29, = 7.0.30, = 7.0.37, = 7.0.47, = 7.0.57, = 7.0.74, = 7.0.27, = 7.0.24, = 7.0.32, = 7.0.40, = 7.0.3, = 7.0.9, = 7.0.17, = 7.0.33, = 7.0.43, = 7.0.70, = 7.0.77, = 7.0.21, = 7.0.38, = 7.0.56, = 7.0.64, = 7.0.73, = 8.0.4, = 8.0.10, = 8.0.30, = 8.0.17, = 8.0.7, = 8.0.26, = 8.0.40, = 8.0.2, = 8.0.20, = 8.0.22, = 8.0.29, = 8.0.39, = 8.0.0, = 8.0.42, = 8.0.1, = 8.0.11, = 8.0.12, = 8.0.19, = 8.0.27, = 8.0.36, = 8.0.5, = 8.0.15, = 8.0.23, = 8.0.24, = 8.0.31, = 8.0.3, = 8.0.13, = 8.0.14, = 8.0.21, = 8.0.38, = 8.0.9, = 8.0.18, = 8.0.25, = 8.0.33, = 8.0.34, = 8.0.43, = 8.0.28, = 8.0.35, = 8.0.37, = 8.0.6, = 8.0.16, = 8.0.32, = 8.0.41, = 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.10, = 8.5.13, = 8.5.14, = 8.5.5, = 8.5.3, = 8.5.1, = 8.5.6, = 8.5.7, = 8.5.8, = 8.5.11, = 8.5.12, = 9.0.05 MEDIUM

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

= 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.10, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.7, = 8.5.1, = 8.5.11, = 8.5.8, = 8.5.12, = 9.0.05 MEDIUM

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

= 7.0.49, = 7.0.12, = 7.0.62, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.58, = 7.0.8, = 7.0.55, = 7.0.0, = 7.0.1, = 7.0.26, = 7.0.50, = 7.0.51, = 7.0.59, = 7.0.5, = 7.0.46, = 7.0.63, = 7.0.71, = 7.0.72, = 7.0.2, = 7.0.18, = 7.0.28, = 7.0.6, = 7.0.22, = 7.0.39, = 7.0.65, = 7.0.75, = 7.0.16, = 7.0.25, = 7.0.41, = 7.0.42, = 7.0.66, = 7.0.67, = 7.0.13, = 7.0.29, = 7.0.30, = 7.0.37, = 7.0.38, = 7.0.45, = 7.0.47, = 7.0.54, = 7.0.10, = 7.0.11, = 7.0.19, = 7.0.35, = 7.0.36, = 7.0.43, = 7.0.44, = 7.0.52, = 7.0.60, = 7.0.61, = 7.0.68, = 7.0.69, = 7.0.74, = 7.0.7, = 7.0.14, = 7.0.15, = 7.0.23, = 7.0.31, = 7.0.32, = 7.0.48, = 7.0.57, = 7.0.9, = 7.0.17, = 7.0.33, = 7.0.4, = 7.0.21, = 7.0.70, = 7.0.3, = 7.0.27, = 7.0.73, = 7.0.24, = 7.0.40, = 7.0.56, = 7.0.64, = 8.0.4, = 8.0.10, = 8.0.30, = 8.0.0, = 8.0.17, = 8.0.7, = 8.0.26, = 8.0.40, = 8.0.2, = 8.0.15, = 8.0.23, = 8.0.24, = 8.0.33, = 8.0.39, = 8.0.5, = 8.0.6, = 8.0.22, = 8.0.31, = 8.0.1, = 8.0.11, = 8.0.12, = 8.0.19, = 8.0.20, = 8.0.27, = 8.0.29, = 8.0.36, = 8.0.41, = 8.0.8, = 8.0.16, = 8.0.32, = 8.0.13, = 8.0.14, = 8.0.21, = 8.0.9, = 8.0.18, = 8.0.25, = 8.0.34, = 8.0.35, = 8.0.3, = 8.0.28, = 8.0.37, = 8.0.38, = 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.10, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.7, = 8.5.8, = 8.5.11, = 8.5.1, = 9.0.06.4 MEDIUM

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

= 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.10, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.7, = 8.5.1, = 8.5.8, = 8.5.11, = 8.5.12, = 9.0.07.5 HIGH

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

= 6.0.33, = 6.0.39, = 6.0.6, = 6.0.11, = 6.0.34, = 6.0.47, = 6.0.22, = 6.0.25, = 6.0.7, = 6.0.9, = 6.0.10, = 6.0.44, = 6.0.52, = 6.0.17, = 6.0.24, = 6.0.42, = 6.0.50, = 6.0.15, = 6.0.23, = 6.0.3, = 6.0.4, = 6.0.20, = 6.0.21, = 6.0.29, = 6.0.37, = 6.0.38, = 6.0.31, = 6.0.1, = 6.0.2, = 6.0.18, = 6.0.19, = 6.0.26, = 6.0.27, = 6.0.35, = 6.0.36, = 6.0.43, = 6.0.0, = 6.0.8, = 6.0.16, = 6.0.32, = 6.0.41, = 6.0.51, = 6.0.5, = 6.0.14, = 6.0.48, = 6.0.49, = 6.0.12, = 6.0.13, = 6.0.28, = 6.0.45, = 6.0.46, = 6.0.30, = 6.0.40, = 7.0.49, = 7.0.12, = 7.0.62, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.58, = 7.0.8, = 7.0.55, = 7.0.5, = 7.0.22, = 7.0.39, = 7.0.46, = 7.0.63, = 7.0.71, = 7.0.72, = 7.0.76, = 7.0.6, = 7.0.65, = 7.0.0, = 7.0.1, = 7.0.26, = 7.0.50, = 7.0.51, = 7.0.59, = 7.0.2, = 7.0.28, = 7.0.74, = 7.0.13, = 7.0.29, = 7.0.30, = 7.0.37, = 7.0.47, = 7.0.54, = 7.0.75, = 7.0.7, = 7.0.14, = 7.0.15, = 7.0.16, = 7.0.23, = 7.0.31, = 7.0.32, = 7.0.41, = 7.0.48, = 7.0.57, = 7.0.66, = 7.0.18, = 7.0.25, = 7.0.42, = 7.0.43, = 7.0.67, = 7.0.68, = 7.0.10, = 7.0.11, = 7.0.19, = 7.0.35, = 7.0.36, = 7.0.44, = 7.0.45, = 7.0.52, = 7.0.60, = 7.0.61, = 7.0.69, = 7.0.73, = 7.0.4, = 7.0.21, = 7.0.38, = 7.0.64, = 7.0.24, = 7.0.40, = 7.0.56, = 7.0.9, = 7.0.17, = 7.0.33, = 7.0.3, = 7.0.27, = 7.0.70, = 8.0.4, = 8.0.10, = 8.0.30, = 8.0.0, = 8.0.17, = 8.0.7, = 8.0.26, = 8.0.40, = 8.0.2, = 8.0.5, = 8.0.12, = 8.0.22, = 8.0.29, = 8.0.39, = 8.0.11, = 8.0.19, = 8.0.20, = 8.0.27, = 8.0.36, = 8.0.1, = 8.0.33, = 8.0.42, = 8.0.15, = 8.0.23, = 8.0.24, = 8.0.31, = 8.0.41, = 8.0.13, = 8.0.21, = 8.0.37, = 8.0.38, = 8.0.3, = 8.0.28, = 8.0.35, = 8.0.8, = 8.0.9, = 8.0.16, = 8.0.18, = 8.0.25, = 8.0.34, = 8.0.6, = 8.0.14, = 8.0.32, = 8.5.2, = 8.5.9, = 8.5.4, = 8.5.0, = 8.5.10, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.7, = 8.5.1, = 8.5.11, = 8.5.12, = 8.5.8, = 9.0.05 MEDIUM

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

= 6.0.33, = 6.0.39, = 6.0.6, = 6.0.11, = 6.0.34, = 6.0.47, = 6.0.22, = 6.0.25, = 6.0.7, = 6.0.15, = 6.0.17, = 6.0.23, = 6.0.24, = 6.0.31, = 6.0.4, = 6.0.20, = 6.0.28, = 6.0.42, = 6.0.10, = 6.0.32, = 6.0.21, = 6.0.29, = 6.0.3, = 6.0.37, = 6.0.38, = 6.0.44, = 6.0.9, = 6.0.0, = 6.0.16, = 6.0.30, = 6.0.46, = 6.0.12, = 6.0.2, = 6.0.27, = 6.0.35, = 6.0.43, = 6.0.8, = 6.0.1, = 6.0.18, = 6.0.19, = 6.0.26, = 6.0.40, = 6.0.41, = 6.0.5, = 6.0.13, = 6.0.14, = 6.0.36, = 6.0.45, = 7.0.49, = 7.0.12, = 7.0.62, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.58, = 7.0.8, = 7.0.55, = 7.0.0, = 7.0.1, = 7.0.39, = 7.0.46, = 7.0.2, = 7.0.28, = 7.0.5, = 7.0.50, = 7.0.59, = 7.0.65, = 7.0.72, = 7.0.18, = 7.0.26, = 7.0.63, = 7.0.71, = 7.0.22, = 7.0.51, = 7.0.6, = 7.0.16, = 7.0.23, = 7.0.30, = 7.0.31, = 7.0.32, = 7.0.47, = 7.0.54, = 7.0.61, = 7.0.69, = 7.0.7, = 7.0.13, = 7.0.27, = 7.0.35, = 7.0.36, = 7.0.42, = 7.0.43, = 7.0.66, = 7.0.10, = 7.0.11, = 7.0.19, = 7.0.25, = 7.0.41, = 7.0.48, = 7.0.57, = 7.0.14, = 7.0.15, = 7.0.21, = 7.0.29, = 7.0.37, = 7.0.38, = 7.0.44, = 7.0.45, = 7.0.52, = 7.0.60, = 7.0.67, = 7.0.68, = 7.0.17, = 7.0.24, = 7.0.4, = 7.0.9, = 7.0.33, = 7.0.40, = 7.0.56, = 7.0.64, = 7.0.70, = 7.0.3, = 8.0.4, = 8.0.10, = 8.0.30, = 8.0.0, = 8.0.17, = 8.0.7, = 8.0.26, = 8.0.2, = 8.0.20, = 8.0.1, = 8.0.24, = 8.0.25, = 8.0.32, = 8.0.33, = 8.0.5, = 8.0.6, = 8.0.21, = 8.0.29, = 8.0.36, = 8.0.11, = 8.0.12, = 8.0.19, = 8.0.27, = 8.0.15, = 8.0.22, = 8.0.23, = 8.0.31, = 8.0.18, = 8.0.13, = 8.0.14, = 8.0.3, = 8.0.37, = 8.0.9, = 8.0.28, = 8.0.34, = 8.0.35, = 8.0.8, = 8.0.16, = 8.0.38, = 8.5.2, = 8.5.4, = 8.5.0, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.1, = 9.0.0, >= 8.5.0, < 8.5.7, >= 8.0, < 8.0.39, >= 7.0.0, < 7.0.73, < 6.0.489.8 CRITICAL7.5 HIGH

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

= 8.0, = 6.0, = 7.07.2 HIGH

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory.

= 8.0, = 6.0, = 7.07.2 HIGH

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack.

= 6.0.33, = 6.0.39, = 6.0.6, = 6.0.11, = 6.0.34, = 6.0.47, = 6.0.22, = 6.0.25, = 6.0.7, = 6.0.3, = 6.0.10, = 6.0.28, = 6.0.44, = 6.0.15, = 6.0.23, = 6.0.31, = 6.0.32, = 6.0.9, = 6.0.17, = 6.0.24, = 6.0.42, = 6.0.4, = 6.0.20, = 6.0.21, = 6.0.29, = 6.0.37, = 6.0.38, = 6.0.1, = 6.0.2, = 6.0.18, = 6.0.19, = 6.0.27, = 6.0.35, = 6.0.36, = 6.0.43, = 6.0.14, = 6.0.40, = 6.0.0, = 6.0.8, = 6.0.16, = 6.0.26, = 6.0.41, = 6.0.5, = 6.0.12, = 6.0.13, = 6.0.30, = 6.0.45, = 6.0.46, = 7.0.49, = 7.0.12, = 7.0.62, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.58, = 7.0.8, = 7.0.55, = 7.0.71, = 7.0.72, = 7.0.2, = 7.0.28, = 7.0.63, = 7.0.50, = 7.0.51, = 7.0.59, = 7.0.6, = 7.0.39, = 7.0.0, = 7.0.65, = 7.0.1, = 7.0.18, = 7.0.26, = 7.0.5, = 7.0.22, = 7.0.46, = 7.0.66, = 7.0.67, = 7.0.10, = 7.0.11, = 7.0.19, = 7.0.27, = 7.0.35, = 7.0.36, = 7.0.44, = 7.0.45, = 7.0.48, = 7.0.7, = 7.0.14, = 7.0.15, = 7.0.23, = 7.0.31, = 7.0.32, = 7.0.41, = 7.0.52, = 7.0.54, = 7.0.16, = 7.0.25, = 7.0.42, = 7.0.43, = 7.0.60, = 7.0.61, = 7.0.68, = 7.0.69, = 7.0.57, = 7.0.13, = 7.0.21, = 7.0.29, = 7.0.30, = 7.0.37, = 7.0.38, = 7.0.47, = 7.0.56, = 7.0.3, = 7.0.24, = 7.0.40, = 7.0.70, = 7.0.64, = 7.0.9, = 7.0.17, = 7.0.33, = 7.0.4, = 8.0.4, = 8.0.10, = 8.0.30, = 8.0.0, = 8.0.17, = 8.0.7, = 8.0.26, = 8.0.2, = 8.0.20, = 8.0.11, = 8.0.12, = 8.0.21, = 8.0.29, = 8.0.36, = 8.0.24, = 8.0.25, = 8.0.32, = 8.0.33, = 8.0.1, = 8.0.19, = 8.0.27, = 8.0.5, = 8.0.6, = 8.0.15, = 8.0.22, = 8.0.23, = 8.0.31, = 8.0.3, = 8.0.28, = 8.0.37, = 8.0.38, = 8.0.8, = 8.0.16, = 8.0.9, = 8.0.18, = 8.0.34, = 8.0.35, = 8.0.13, = 8.0.14, = 8.5.2, = 8.5.4, = 8.5.0, = 8.5.5, = 8.5.3, = 8.5.6, = 8.5.1, = 9.0.06.8 MEDIUM

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

= 9.0.0, = 8.5.9, = 8.5.7, = 8.5.8, >= 8.5.7, < 8.5.107.5 HIGH5 MEDIUM

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.

all versions7.2 HIGH

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

all versions7.8 HIGH7.2 HIGH

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

= 6.0, = 7.0, = 8.07.2 HIGH

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

>= 7.0, <= 7.0.70, >= 8.0, <= 8.5.4, >= 6.0, <= 6.0.455.1 MEDIUM

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

= 9.0.0, = 8.0.30, = 8.0.17, = 8.0.26, = 8.0.20, = 8.0.5, = 8.0.1, = 8.0.0, = 8.0.12, = 8.0.27, = 8.0.32, = 8.0.3, = 8.0.22, = 8.0.21, = 8.0.11, = 8.0.8, = 8.0.15, = 8.0.35, = 8.0.33, = 8.0.24, = 8.0.23, = 8.0.14, = 8.0.29, = 8.0.28, = 8.0.18, = 8.5.2, = 8.5.0, = 7.0.2, = 7.0.12, = 7.0.62, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.55, = 7.0.1, = 7.0.65, = 7.0.6, = 7.0.59, = 7.0.5, = 7.0.26, = 7.0.0, = 7.0.67, = 7.0.23, = 7.0.22, = 7.0.14, = 7.0.4, = 7.0.11, = 7.0.63, = 7.0.50, = 7.0.39, = 7.0.28, = 7.0.64, = 7.0.54, = 7.0.52, = 7.0.61, = 7.0.47, = 7.0.37, = 7.0.35, = 7.0.25, = 7.0.19, = 7.0.16, = 7.0.57, = 7.0.56, = 7.0.42, = 7.0.41, = 7.0.33, = 7.0.40, = 7.0.32, = 7.0.30, = 7.0.21, = 7.0.10, = 7.0.69, = 7.0.68, = 7.0.29, = 7.0.277.8 HIGH

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

= 7.0.2, = 8.0.30, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 7.0.20, = 7.0.34, = 8.0.26, = 8.0.12, = 7.0.63, = 7.0.4, = 8.0.27, = 8.0.20, = 8.0.0, = 7.0.59, = 9.0.0, = 7.0.65, = 7.0.55, = 7.0.22, = 7.0.39, = 7.0.28, = 8.0.1, = 7.0.6, = 7.0.50, = 7.0.26, = 7.0.14, = 8.0.3, = 8.0.24, = 8.0.23, = 8.0.11, = 7.0.54, = 7.0.67, = 8.0.18, = 7.0.57, = 7.0.47, = 7.0.42, = 7.0.25, = 7.0.23, = 7.0.11, = 8.0.15, = 8.0.14, = 7.0.41, = 7.0.32, = 7.0.30, = 7.0.21, = 7.0.10, = 7.0.0, = 7.0.29, = 8.0.29, = 8.0.22, = 8.0.21, = 7.0.61, = 7.0.52, = 7.0.5, = 7.0.37, = 7.0.35, = 7.0.27, = 7.0.19, = 7.0.16, = 7.0.33, = 7.0.64, = 7.0.56, = 7.0.40, = 8.0.286.5 MEDIUM

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

= 7.0.2, = 6.0.33, = 6.0.0, = 8.0.30, = 6.0.39, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 8.0.20, = 8.0.0, = 7.0.59, = 7.0.34, = 7.0.26, = 6.0.4, = 9.0.0, = 7.0.55, = 7.0.22, = 8.0.1, = 7.0.39, = 7.0.28, = 8.0.26, = 7.0.63, = 7.0.4, = 7.0.20, = 6.0.11, = 8.0.29, = 7.0.6, = 7.0.5, = 7.0.47, = 7.0.23, = 7.0.14, = 6.0.29, = 8.0.27, = 8.0.15, = 7.0.42, = 7.0.11, = 6.0.37, = 6.0.24, = 6.0.14, = 8.0.22, = 8.0.21, = 8.0.11, = 7.0.52, = 7.0.50, = 7.0.37, = 6.0.32, = 6.0.1, = 6.0.28, = 7.0.67, = 7.0.65, = 8.0.24, = 8.0.23, = 8.0.12, = 7.0.29, = 7.0.0, = 6.0.44, = 6.0.20, = 6.0.10, = 8.0.28, = 8.0.18, = 7.0.35, = 7.0.25, = 7.0.57, = 7.0.56, = 7.0.41, = 7.0.33, = 7.0.32, = 7.0.21, = 7.0.10, = 6.0.26, = 6.0.13, = 8.0.3, = 7.0.61, = 7.0.27, = 7.0.19, = 7.0.16, = 6.0.43, = 6.0.41, = 6.0.30, = 6.0.2, = 6.0.18, = 6.0.16, = 8.0.14, = 7.0.64, = 7.0.54, = 7.0.40, = 7.0.30, = 6.0.36, = 6.0.356.5 MEDIUM

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

= 7.0.2, = 6.0.33, = 6.0.0, = 8.0.30, = 6.0.39, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 8.0.0, = 7.0.59, = 7.0.34, = 7.0.22, = 6.0.4, = 8.0.20, = 8.0.1, = 7.0.26, = 7.0.63, = 7.0.4, = 7.0.39, = 7.0.28, = 9.0.0, = 8.0.26, = 7.0.55, = 7.0.20, = 6.0.11, = 8.0.27, = 7.0.67, = 7.0.65, = 7.0.47, = 7.0.42, = 7.0.23, = 7.0.11, = 6.0.28, = 6.0.14, = 8.0.29, = 8.0.21, = 7.0.6, = 7.0.50, = 7.0.5, = 7.0.37, = 7.0.14, = 6.0.29, = 8.0.23, = 8.0.22, = 8.0.12, = 8.0.11, = 7.0.52, = 7.0.29, = 6.0.44, = 6.0.32, = 6.0.10, = 6.0.1, = 8.0.24, = 8.0.15, = 7.0.0, = 6.0.37, = 6.0.24, = 6.0.20, = 8.0.18, = 7.0.57, = 7.0.56, = 7.0.33, = 6.0.26, = 6.0.16, = 8.0.28, = 7.0.61, = 7.0.35, = 7.0.27, = 7.0.25, = 7.0.16, = 6.0.41, = 6.0.30, = 6.0.2, = 6.0.18, = 8.0.3, = 7.0.19, = 6.0.43, = 6.0.35, = 8.0.14, = 7.0.64, = 7.0.54, = 7.0.41, = 7.0.40, = 7.0.32, = 7.0.30, = 7.0.21, = 7.0.10, = 6.0.36, = 6.0.134 MEDIUM

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

= 7.0.2, = 8.0.30, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 7.0.20, = 7.0.34, = 8.0.26, = 7.0.65, = 7.0.28, = 7.0.4, = 7.0.63, = 9.0.0, = 7.0.22, = 7.0.55, = 7.0.14, = 7.0.59, = 8.0.0, = 8.0.20, = 8.0.12, = 8.0.27, = 7.0.26, = 7.0.39, = 7.0.50, = 7.0.6, = 8.0.1, = 7.0.0, = 7.0.29, = 7.0.30, = 7.0.54, = 8.0.3, = 7.0.10, = 7.0.11, = 7.0.21, = 7.0.32, = 7.0.41, = 7.0.42, = 8.0.15, = 8.0.29, = 7.0.23, = 7.0.25, = 7.0.35, = 7.0.47, = 7.0.5, = 7.0.57, = 8.0.18, = 8.0.14, = 8.0.23, = 8.0.24, = 7.0.67, = 7.0.16, = 7.0.19, = 7.0.27, = 7.0.37, = 7.0.52, = 7.0.61, = 8.0.11, = 8.0.21, = 8.0.22, = 7.0.40, = 7.0.64, = 7.0.33, = 7.0.56, = 8.0.286.8 MEDIUM

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

= 7.0.2, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 7.0.20, = 7.0.34, = 8.0.26, = 7.0.55, = 8.0.12, = 7.0.14, = 7.0.26, = 7.0.50, = 7.0.59, = 7.0.6, = 8.0.27, = 8.0.15, = 7.0.65, = 7.0.28, = 7.0.39, = 7.0.4, = 7.0.63, = 8.0.0, = 9.0.0, = 8.0.1, = 8.0.20, = 7.0.22, = 8.0.29, = 8.0.11, = 8.0.23, = 8.0.24, = 7.0.16, = 7.0.25, = 7.0.35, = 7.0.37, = 7.0.5, = 8.0.14, = 7.0.19, = 7.0.27, = 7.0.52, = 7.0.61, = 8.0.18, = 7.0.0, = 7.0.10, = 7.0.21, = 7.0.29, = 7.0.30, = 7.0.32, = 7.0.40, = 7.0.41, = 7.0.54, = 8.0.3, = 8.0.21, = 8.0.22, = 7.0.11, = 7.0.23, = 7.0.42, = 7.0.47, = 7.0.56, = 7.0.57, = 8.0.28, = 7.0.64, = 7.0.336.8 MEDIUM

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

= 7.0.2, = 6.0.33, = 6.0.0, = 6.0.39, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 6.0.4, = 9.0.0, = 7.0.63, = 7.0.4, = 7.0.39, = 7.0.28, = 7.0.65, = 8.0.0, = 7.0.34, = 7.0.22, = 8.0.26, = 7.0.55, = 7.0.20, = 6.0.11, = 8.0.20, = 8.0.1, = 7.0.59, = 7.0.26, = 8.0.23, = 8.0.22, = 8.0.12, = 8.0.11, = 7.0.52, = 8.0.27, = 7.0.47, = 7.0.42, = 7.0.23, = 7.0.11, = 6.0.28, = 6.0.14, = 8.0.24, = 8.0.15, = 7.0.41, = 7.0.30, = 7.0.29, = 7.0.0, = 6.0.37, = 6.0.24, = 6.0.20, = 6.0.44, = 6.0.32, = 6.0.10, = 6.0.1, = 8.0.29, = 8.0.21, = 7.0.6, = 7.0.50, = 7.0.5, = 7.0.37, = 7.0.14, = 6.0.29, = 7.0.61, = 7.0.27, = 8.0.18, = 7.0.57, = 7.0.56, = 7.0.33, = 6.0.26, = 6.0.16, = 8.0.14, = 7.0.64, = 7.0.54, = 7.0.40, = 7.0.32, = 7.0.21, = 7.0.10, = 6.0.36, = 6.0.35, = 6.0.13, = 7.0.19, = 6.0.43, = 6.0.2, = 8.0.3, = 8.0.28, = 7.0.35, = 7.0.25, = 7.0.16, = 6.0.41, = 6.0.30, = 6.0.185 MEDIUM

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

= 7.0.2, = 6.0.33, = 6.0.0, = 6.0.39, = 7.0.12, = 7.0.62, = 8.0.17, = 7.0.53, = 6.0.4, = 8.0.20, = 8.0.0, = 7.0.63, = 7.0.4, = 7.0.39, = 7.0.28, = 7.0.20, = 6.0.44, = 8.0.1, = 7.0.50, = 7.0.26, = 8.0.26, = 7.0.55, = 7.0.22, = 6.0.11, = 7.0.59, = 7.0.34, = 8.0.24, = 8.0.23, = 8.0.12, = 8.0.11, = 7.0.29, = 7.0.19, = 6.0.10, = 6.0.1, = 8.0.22, = 8.0.21, = 7.0.6, = 7.0.52, = 7.0.5, = 7.0.37, = 7.0.16, = 7.0.14, = 6.0.41, = 6.0.32, = 8.0.15, = 7.0.41, = 7.0.30, = 7.0.10, = 7.0.0, = 6.0.37, = 6.0.24, = 6.0.20, = 7.0.47, = 7.0.42, = 7.0.23, = 7.0.11, = 6.0.29, = 6.0.28, = 6.0.14, = 8.0.18, = 7.0.54, = 6.0.43, = 6.0.35, = 6.0.2, = 7.0.61, = 7.0.35, = 7.0.27, = 6.0.30, = 6.0.18, = 8.0.14, = 7.0.64, = 7.0.56, = 7.0.40, = 7.0.32, = 7.0.21, = 6.0.36, = 6.0.26, = 6.0.13, = 7.0.57, = 7.0.33, = 7.0.25, = 6.0.164 MEDIUM

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

= 7.0.2, = 6.0.33, = 6.0.0, = 7.0.49, = 6.0.39, = 7.0.12, = 6.0.6, = 7.0.53, = 6.0.4, = 7.0.26, = 7.0.4, = 7.0.55, = 6.0.15, = 7.0.20, = 7.0.28, = 7.0.34, = 7.0.5, = 7.0.22, = 7.0.8, = 8.0.5, = 6.0.11, = 6.0.7, = 7.0.1, = 7.0.39, = 7.0.46, = 6.0.1, = 6.0.10, = 6.0.20, = 6.0.31, = 7.0.11, = 7.0.48, = 8.0.0, = 8.0.12, = 6.0.17, = 6.0.24, = 6.0.32, = 6.0.9, = 7.0.42, = 7.0.6, = 8.0.1, = 8.0.15, = 6.0.28, = 7.0.0, = 7.0.14, = 7.0.29, = 7.0.37, = 7.0.44, = 7.0.50, = 7.0.52, = 7.0.7, = 6.0.29, = 6.0.3, = 6.0.37, = 7.0.18, = 7.0.23, = 7.0.45, = 8.0.11, = 6.0.18, = 6.0.19, = 6.0.13, = 6.0.14, = 6.0.2, = 6.0.30, = 6.0.41, = 6.0.8, = 7.0.10, = 7.0.19, = 7.0.25, = 7.0.32, = 7.0.33, = 7.0.40, = 7.0.47, = 7.0.56, = 8.0.14, = 6.0.16, = 6.0.26, = 6.0.43, = 6.0.5, = 7.0.13, = 7.0.27, = 7.0.35, = 7.0.41, = 7.0.57, = 8.0.3, = 6.0.27, = 6.0.35, = 6.0.36, = 7.0.15, = 7.0.21, = 7.0.3, = 7.0.36, = 7.0.43, = 7.0.9, = 8.0.8, = 6.0.12, = 7.0.16, = 7.0.17, = 7.0.24, = 7.0.30, = 7.0.31, = 7.0.38, = 7.0.54, = 8.0.95 MEDIUM

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

= 7.0.2, = 6.0.33, = 6.0.0, = 7.0.49, = 6.0.39, = 7.0.12, = 6.0.6, = 7.0.53, = 6.0.4, = 6.0.11, = 7.0.22, = 6.0.15, = 7.0.26, = 7.0.34, = 7.0.4, = 7.0.8, = 8.0.5, = 6.0.7, = 7.0.1, = 7.0.39, = 7.0.46, = 8.0.1, = 7.0.20, = 7.0.28, = 7.0.5, = 6.0.10, = 6.0.28, = 6.0.29, = 6.0.37, = 7.0.0, = 7.0.37, = 7.0.44, = 7.0.52, = 8.0.0, = 6.0.20, = 6.0.31, = 6.0.32, = 7.0.11, = 7.0.48, = 7.0.7, = 6.0.3, = 7.0.18, = 7.0.23, = 7.0.45, = 7.0.47, = 7.0.6, = 6.0.1, = 6.0.17, = 6.0.24, = 6.0.9, = 7.0.13, = 7.0.14, = 7.0.29, = 7.0.42, = 7.0.50, = 6.0.18, = 6.0.19, = 6.0.36, = 7.0.15, = 7.0.16, = 7.0.21, = 7.0.3, = 7.0.30, = 7.0.38, = 7.0.43, = 6.0.14, = 6.0.2, = 6.0.41, = 6.0.8, = 7.0.19, = 7.0.25, = 7.0.27, = 7.0.33, = 7.0.40, = 8.0.3, = 6.0.12, = 6.0.13, = 6.0.30, = 7.0.10, = 7.0.17, = 7.0.24, = 7.0.31, = 7.0.32, = 7.0.54, = 6.0.16, = 6.0.26, = 6.0.27, = 6.0.35, = 6.0.43, = 6.0.5, = 7.0.35, = 7.0.36, = 7.0.41, = 7.0.9, = 8.0.87.8 HIGH

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

= 7.0.2, = 6.0.33, = 6.0.0, = 7.0.49, = 6.0.39, = 7.0.12, = 6.0.6, = 7.0.53, = 6.0.4, = 6.0.7, = 6.0.11, = 7.0.1, = 7.0.39, = 7.0.46, = 8.0.1, = 6.0.15, = 7.0.20, = 7.0.28, = 7.0.5, = 7.0.22, = 7.0.26, = 7.0.34, = 7.0.4, = 7.0.8, = 8.0.5, = 6.0.20, = 6.0.24, = 6.0.32, = 7.0.0, = 7.0.18, = 7.0.23, = 7.0.45, = 7.0.6, = 6.0.9, = 6.0.17, = 6.0.28, = 6.0.29, = 6.0.37, = 7.0.13, = 7.0.14, = 7.0.42, = 8.0.0, = 6.0.1, = 6.0.10, = 6.0.31, = 7.0.29, = 7.0.37, = 7.0.44, = 7.0.50, = 7.0.52, = 6.0.3, = 7.0.11, = 7.0.47, = 7.0.48, = 7.0.7, = 6.0.2, = 6.0.12, = 7.0.17, = 7.0.24, = 7.0.30, = 7.0.31, = 7.0.32, = 7.0.54, = 6.0.8, = 6.0.5, = 6.0.16, = 7.0.27, = 7.0.35, = 7.0.36, = 7.0.41, = 7.0.9, = 8.0.8, = 6.0.18, = 6.0.19, = 6.0.30, = 6.0.41, = 7.0.15, = 7.0.16, = 7.0.21, = 7.0.3, = 7.0.38, = 7.0.43, = 6.0.13, = 6.0.14, = 6.0.26, = 6.0.27, = 6.0.35, = 6.0.36, = 7.0.10, = 7.0.19, = 7.0.25, = 7.0.33, = 7.0.40, = 8.0.36.4 MEDIUM

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

= 7.0.2, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.1, = 7.0.4, = 7.0.22, = 7.0.26, = 7.0.11, = 7.0.19, = 7.0.10, = 7.0.18, = 7.0.23, = 7.0.25, = 7.0.31, = 7.0.0, = 7.0.15, = 7.0.16, = 7.0.30, = 7.0.37, = 7.0.13, = 7.0.14, = 7.0.28, = 7.0.29, = 7.0.36, = 7.0.27, = 7.0.33, = 7.0.17, = 7.0.24, = 7.0.32, <= 7.0.39, = 7.0.21, = 7.0.3, = 7.0.38, = 7.0.356.8 MEDIUM

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.

= 7.0.2, = 7.0.49, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.52, = 7.0.14, = 7.0.28, = 7.0.50, = 7.0.0, = 7.0.22, = 7.0.23, = 7.0.39, = 7.0.44, = 7.0.6, = 7.0.7, = 7.0.11, = 7.0.26, = 7.0.48, = 7.0.18, = 7.0.4, = 7.0.46, = 7.0.15, = 7.0.21, = 7.0.29, = 7.0.36, = 7.0.37, = 7.0.42, = 7.0.43, = 7.0.16, = 7.0.17, = 7.0.3, = 7.0.30, = 7.0.38, = 7.0.45, = 7.0.13, = 7.0.27, = 7.0.33, = 7.0.35, = 7.0.40, = 7.0.41, = 7.0.10, = 7.0.19, = 7.0.24, = 7.0.25, = 7.0.31, = 7.0.32, = 7.0.47, = 7.0.9, = 8.0.1, = 8.0.0, = 8.0.3, = 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, <= 6.0.39, = 6, = 6.0.7, = 6.0.14, = 6.0.15, = 6.0.20, = 6.0.24, = 6.0.31, = 6.0.32, = 6.0.9, = 6.0.1, = 6.0.17, = 6.0, = 6.0.3, = 6.0.10, = 6.0.28, = 6.0.29, = 6.0.37, = 6.0.5, = 6.0.16, = 6.0.18, = 6.0.26, = 6.0.27, = 6.0.35, = 6.0.12, = 6.0.13, = 6.0.2, = 6.0.30, = 6.0.8, = 6.0.19, = 6.0.364.3 MEDIUM

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

= 8.0.5, = 8.0.1, = 8.0.0, = 8.0.3, = 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, <= 6.0.39, = 6, = 6.0.7, = 6.0.15, = 6.0.24, = 6.0.32, = 6.0.1, = 6.0.10, = 6.0.17, = 6.0.28, = 6.0.29, = 6.0.3, = 6.0.37, = 6.0, = 6.0.14, = 6.0.20, = 6.0.31, = 6.0.9, = 6.0.16, = 6.0.26, = 6.0.18, = 6.0.27, = 6.0.35, = 6.0.36, = 6.0.12, = 6.0.19, = 6.0.2, = 6.0.8, = 6.0.13, = 6.0.30, = 6.0.5, = 7.0.2, = 7.0.49, = 7.0.12, = 7.0.53, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.1, = 7.0.28, = 7.0.5, = 7.0.0, = 7.0.23, = 7.0.39, = 7.0.46, = 7.0.7, = 7.0.14, = 7.0.22, = 7.0.44, = 7.0.50, = 7.0.6, = 7.0.11, = 7.0.18, = 7.0.26, = 7.0.4, = 7.0.48, = 7.0.52, = 7.0.13, = 7.0.27, = 7.0.35, = 7.0.40, = 7.0.41, = 7.0.42, = 7.0.16, = 7.0.17, = 7.0.24, = 7.0.30, = 7.0.31, = 7.0.38, = 7.0.45, = 7.0.15, = 7.0.21, = 7.0.29, = 7.0.3, = 7.0.36, = 7.0.37, = 7.0.43, = 7.0.10, = 7.0.19, = 7.0.25, = 7.0.32, = 7.0.33, = 7.0.47, = 7.0.94.3 MEDIUM

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

= 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, <= 6.0.39, = 6, = 6.0.7, = 6.0.1, = 6.0.10, = 6.0.17, = 6.0.28, = 6.0.29, = 6.0.3, = 6.0.37, = 6.0.15, = 6.0.24, = 6.0.32, = 6.0, = 6.0.14, = 6.0.20, = 6.0.31, = 6.0.9, = 6.0.18, = 6.0.19, = 6.0.27, = 6.0.35, = 6.0.36, = 6.0.12, = 6.0.2, = 6.0.8, = 6.0.16, = 6.0.26, = 6.0.13, = 6.0.30, = 6.0.5, = 8.0.1, = 8.0.0, = 8.0.3, = 7.0.2, = 7.0.49, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.11, = 7.0.26, = 7.0.4, = 7.0.52, = 7.0.0, = 7.0.22, = 7.0.44, = 7.0.50, = 7.0.6, = 7.0.48, = 7.0.18, = 7.0.23, = 7.0.39, = 7.0.46, = 7.0.7, = 7.0.14, = 7.0.28, = 7.0.10, = 7.0.19, = 7.0.25, = 7.0.32, = 7.0.33, = 7.0.15, = 7.0.16, = 7.0.21, = 7.0.29, = 7.0.3, = 7.0.37, = 7.0.38, = 7.0.43, = 7.0.40, = 7.0.47, = 7.0.9, = 7.0.17, = 7.0.24, = 7.0.30, = 7.0.31, = 7.0.45, = 7.0.13, = 7.0.27, = 7.0.35, = 7.0.36, = 7.0.41, = 7.0.424.3 MEDIUM

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

= 8.0.1, = 8.0.0, = 8.0.35 MEDIUM

java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing.

= 7.0.2, = 7.0.49, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.18, = 7.0.23, = 7.0.39, = 7.0.46, = 7.0.52, = 7.0.14, = 7.0.28, = 7.0.50, = 7.0.11, = 7.0.26, = 7.0.4, = 7.0.48, = 7.0.0, = 7.0.22, = 7.0.44, = 7.0.6, = 7.0.7, = 7.0.10, = 7.0.17, = 7.0.24, = 7.0.31, = 7.0.32, = 7.0.45, = 7.0.47, = 7.0.9, = 7.0.13, = 7.0.29, = 7.0.35, = 7.0.36, = 7.0.41, = 7.0.42, = 7.0.19, = 7.0.25, = 7.0.27, = 7.0.33, = 7.0.40, = 7.0.15, = 7.0.16, = 7.0.21, = 7.0.3, = 7.0.30, = 7.0.37, = 7.0.38, = 7.0.43, = 8.0.1, = 8.0.0, = 8.0.3, = 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, <= 6.0.39, = 6, = 6.0.7, = 6.0.10, = 6.0.28, = 6.0.37, = 6.0, = 6.0.14, = 6.0.15, = 6.0.20, = 6.0.31, = 6.0.32, = 6.0.9, = 6.0.29, = 6.0.3, = 6.0.1, = 6.0.17, = 6.0.24, = 6.0.18, = 6.0.19, = 6.0.27, = 6.0.36, = 6.0.2, = 6.0.30, = 6.0.5, = 6.0.12, = 6.0.13, = 6.0.8, = 6.0.16, = 6.0.26, = 6.0.355 MEDIUM

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

= 7.0.2, = 7.0.49, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.0, = 7.0.14, = 7.0.22, = 7.0.50, = 7.0.6, = 8.0.0, = 7.0.11, = 7.0.26, = 7.0.4, = 7.0.48, = 7.0.28, = 8.0.1, = 7.0.18, = 7.0.39, = 7.0.46, = 7.0.15, = 7.0.21, = 7.0.29, = 7.0.36, = 7.0.37, = 7.0.43, = 7.0.44, = 7.0.10, = 7.0.19, = 7.0.25, = 7.0.32, = 7.0.40, = 7.0.47, = 7.0.9, = 7.0.13, = 7.0.27, = 7.0.35, = 7.0.41, = 7.0.42, = 7.0.16, = 7.0.17, = 7.0.23, = 7.0.24, = 7.0.30, = 7.0.31, = 7.0.38, = 7.0.45, = 7.0.7, = 7.0.3, = 7.0.337.5 HIGH

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

= 7.0.2, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.1, = 7.0.4, = 7.0.22, = 7.0.39, = 7.0.42, = 7.0.37, = 7.0.29, = 7.0.14, = 7.0.0, = 7.0.45, = 7.0.44, = 7.0.31, = 7.0.30, = 7.0.23, = 7.0.46, = 7.0.26, = 7.0.18, = 7.0.11, = 7.0.41, = 7.0.28, = 7.0.13, = 7.0.43, = 7.0.36, = 7.0.3, = 7.0.21, = 7.0.15, = 7.0.38, = 7.0.17, = 7.0.16, = 7.0.33, = 7.0.32, = 7.0.25, = 7.0.24, = 7.0.19, = 7.0.10, = 7.0.40, = 7.0.35, = 7.0.27, = 8.0.0, = 5.5.27, = 6.0.33, = 6.0.0, = 3.1, = 4.1.2, = 4.0.4, = 4.1.36, = 3.2.1, = 4.1.9, = 5.5.4, = 5.5.14, = 5.0.7, = 5.0.19, = 3.2.2, = 5.5.7, = 5.0.8, = 6.0.11, = 5.5.18, = 5.5.10, = 5.5.1, = 5.0.22, = 5.0.14, = 6, = 5.5.12, = 5.5.11, = 5, = 4.1.24, = 6.0.31, = 6.0.24, = 6.0.20, = 6.0.15, = 5.5.5, = 5.5.28, = 5.5.21, = 5.5.20, = 5.0.6, = 5.0.27, = 5.0.26, = 5.0.10, = 3.3.2, = 6.0.1, = 5.5.6, = 5.5.30, = 5.5.3, = 5.5.22, = 5.5.15, = 5.0.9, = 5.0.21, = 5.0.2, = 4.1.31, = 1.1.3, = 6.0.29, = 6.0.10, = 5.0.30, = 5.0.23, = 5.0.15, = 3.2.4, = 3.0, = 6.0.3, = 5.5.35, = 5.5.26, = 5.0.0, = 6.0.32, = 6.0.16, = 6.0.14, = 5.5.29, = 5.5.13, = 5.0.18, = 5.0.1, = 4.1.3, = 4.1.29, = 4.1.1, = 4.1.0, = 4, = 6.0.35, = 6.0.27, = 6.0.26, = 6.0.18, = 6.0.17, = 5.5.31, = 5.5.23, = 5.5.16, = 5.5.0, = 5.0.29, = 5.0.28, = 5.0.11, = 4.1.12, = 4.1.10, = 4.0.1, = 4.0.0, = 3.2.3, <= 6.0.37, = 6.0.36, = 6.0.28, = 6.0.2, = 6.0.19, = 5.5.9, = 5.5.8, = 5.5.33, = 5.5.32, = 5.5.25, = 5.5.24, = 5.5.17, = 5.0.3, = 5.0.13, = 4.1.15, = 4.0.3, = 4.0.2, = 3.3, = 6.0.30, = 6.0.13, = 6.0.12, = 6.0, = 5.5.34, = 5.5.2, = 5.5.19, = 5.0.5, = 5.0.4, = 5.0.25, = 5.0.24, = 5.0.17, = 5.0.16, = 4.1.28, = 4.0.6, = 4.0.5, = 3.3.1a, = 3.3.1, = 3.2, = 3.1.1, = 5.0.125.8 MEDIUM

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

= 8.0.0, = 5.5.27, = 6.0.33, = 6.0.0, = 3.1, = 4.1.2, = 4.0.4, = 4.1.36, = 3.2.1, = 4.1.9, = 5.5.4, = 5.5.14, = 5.0.8, = 5.0.7, = 5.5.7, = 5.0.19, = 3.2.2, = 5.5.12, = 5.5.11, = 4.1.24, = 6.0.11, = 6, = 5.5.18, = 5.5.10, = 5.5.1, = 5.0.22, = 5.0.14, = 5, = 6.0.24, = 6.0.20, = 6.0.15, = 5.5.5, = 5.5.3, = 5.5.22, = 5.5.21, = 6.0.10, = 6.0.1, = 5.5.6, = 5.5.30, = 5.5.15, = 5.0.9, = 5.0.21, = 5.0.2, = 6.0.31, = 5.0.27, = 5.0.26, = 5.0.10, = 5.5.35, = 5.5.28, = 5.5.20, = 5.0.6, = 5.0.0, = 3.3.2, = 4.1.31, = 3.2.4, = 1.1.3, = 6.0.3, = 6.0.29, = 5.5.26, = 5.0.30, = 5.0.23, = 5.0.15, = 3.0, = 6.0.32, = 6.0.16, = 5.5.29, = 5.5.13, = 6.0.36, = 6.0.35, = 6.0.28, = 6.0.27, = 6.0.26, = 6.0.18, = 6.0.17, = 5.5.31, = 5.5.24, = 5.5.23, = 5.5.16, = 5.5.0, = 5.0.3, = 5.0.29, = 5.0.13, = 6.0.30, = 6.0.2, = 6.0.14, = 5.0.28, = 5.0.18, = 5.0.11, = 4.1.3, = 4.1.29, = 4.1.1, = 4.1.0, = 4.0.0, = 4, = 6.0.13, = 6.0, = 5.5.34, = 5.5.2, = 5.5.19, = 5.0.5, = 5.0.25, = 5.0.24, = 5.0.17, = 5.0.16, = 5.0.1, = 4.1.28, = 4.0.6, = 4.0.5, = 3.3.1a, = 3.2, = 3.1.1, = 4.1.12, = 4.1.10, = 4.0.2, = 4.0.1, = 3.2.3, <= 6.0.37, = 6.0.19, = 6.0.12, = 5.5.9, = 5.5.8, = 5.5.33, = 5.5.32, = 5.5.25, = 5.5.17, = 5.0.4, = 4.1.15, = 4.0.3, = 3.3.1, = 3.3, = 5.0.12, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.1, = 7.0.4, = 7.0.22, = 7.0.39, = 7.0.50, = 7.0.46, = 7.0.31, = 7.0.18, = 7.0.45, = 7.0.44, = 7.0.23, = 7.0.0, = 7.0.41, = 7.0.26, = 7.0.11, = 7.0.42, = 7.0.37, = 7.0.29, = 7.0.28, = 7.0.14, = 7.0.13, = 7.0.32, = 7.0.25, = 7.0.24, = 7.0.19, = 7.0.10, = 7.0.38, = 7.0.30, = 7.0.3, = 7.0.17, = 7.0.16, = 7.0.15, = 7.0.40, = 7.0.33, = 7.0.27, = 7.0.43, = 7.0.36, = 7.0.35, = 7.0.214.3 MEDIUM

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

= 6.0.33, = 6.0.34, = 6.0.37, = 6.0.35, = 6.0.364.3 MEDIUM

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.

= 7.0.2, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.1, = 7.0.4, = 7.0.22, = 7.0.39, = 7.0.50, = 7.0.46, = 7.0.45, = 7.0.31, = 7.0.26, = 7.0.42, = 7.0.41, = 7.0.29, = 7.0.28, = 7.0.14, = 7.0.13, = 7.0.44, = 7.0.37, = 7.0.0, = 7.0.11, = 7.0.23, = 7.0.18, = 7.0.32, = 7.0.40, = 7.0.33, = 7.0.27, = 7.0.36, = 7.0.35, = 7.0.43, = 7.0.38, = 7.0.30, = 7.0.3, = 7.0.21, = 7.0.16, = 7.0.15, = 7.0.19, = 7.0.25, = 7.0.24, = 7.0.17, = 7.0.10, = 5.5.27, = 6.0.33, = 6.0.0, = 3.1, = 4.1.2, = 4.0.4, = 4.1.36, = 3.2.1, = 4.1.9, = 6.0.11, = 6, = 5.5.12, = 5.5.11, = 5, = 4.1.24, = 5.5.18, = 5.5.10, = 5.5.1, = 5.0.22, = 5.0.14, = 5.5.7, = 5.5.4, = 5.5.14, = 5.0.8, = 5.0.7, = 5.0.19, = 3.2.2, = 6.0.29, = 6.0.10, = 6.0.3, = 5.5.35, = 5.5.28, = 5.5.26, = 5.0.0, = 5.0.30, = 5.0.23, = 5.0.15, = 3.2.4, = 3.0, = 6.0.1, = 5.5.6, = 5.5.30, = 5.5.22, = 5.5.15, = 5.0.9, = 5.0.21, = 5.0.2, = 4.1.31, = 1.1.3, = 6.0.31, = 6.0.24, = 6.0.20, = 6.0.15, = 5.5.5, = 5.5.3, = 5.5.21, = 5.5.20, = 5.0.6, = 5.0.27, = 5.0.26, = 5.0.10, = 3.3.2, <= 6.0.37, = 6.0.28, = 6.0.2, = 6.0.19, = 6.0.12, = 5.5.9, = 6.0.30, = 6.0.14, = 6.0.13, = 6.0, = 5.5.34, = 5.5.2, = 5.5.19, = 5.0.5, = 5.0.4, = 5.0.25, = 5.0.24, = 5.0.17, = 5.0.16, = 4.1.28, = 4.0.6, = 4.0.5, = 3.3.1a, = 3.3.1, = 3.2, = 3.1.1, = 5.5.8, = 5.5.33, = 5.5.32, = 5.5.25, = 5.5.24, = 5.5.17, = 5.0.3, = 4.1.15, = 4.0.3, = 3.3, = 6.0.36, = 6.0.35, = 6.0.27, = 6.0.26, = 6.0.18, = 6.0.17, = 5.5.31, = 5.5.23, = 5.5.16, = 5.5.0, = 5.0.29, = 5.0.28, = 5.0.13, = 4.1.3, = 4.1.12, = 4.1.10, = 4.0.2, = 4.0.1, = 4.0.0, = 3.2.3, = 6.0.32, = 6.0.16, = 5.5.29, = 5.5.13, = 5.0.18, = 5.0.11, = 5.0.1, = 4.1.29, = 4.1.1, = 4.1.0, = 4, = 5.0.12, = 8.0.04.3 MEDIUM

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

= 7.0.2, = 7.0.49, = 7.0.12, = 7.0.20, = 7.0.34, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.18, = 7.0.11, = 7.0.26, = 7.0.28, = 7.0.4, = 7.0.42, = 7.0.0, = 7.0.14, = 7.0.23, = 7.0.6, = 7.0.48, = 7.0.22, = 7.0.39, = 7.0.44, = 7.0.46, = 7.0.50, = 7.0.7, = 7.0.19, = 7.0.32, = 7.0.33, = 7.0.10, = 7.0.13, = 7.0.25, = 7.0.27, = 7.0.40, = 7.0.41, = 7.0.9, = 7.0.16, = 7.0.21, = 7.0.3, = 7.0.31, = 7.0.36, = 7.0.38, = 7.0.43, = 7.0.45, = 7.0.35, = 7.0.47, = 7.0.15, = 7.0.17, = 7.0.24, = 7.0.29, = 7.0.30, = 7.0.372.1 LOW

Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."

<= 7.0.397.5 HIGH

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue

= 3.1, = 4.1.2, = 4.0.4, = 4.1.36, = 3.2.1, = 4.1.9, = 5.5.18, = 5.0.8, = 5, <= 5.5.25, = 5.5.10, = 5.0.22, = 5.0.15, = 4.1.24, = 5.0.7, = 5.0.19, = 5.5.4, = 5.5.6, = 5.5.7, = 5.5.14, = 5.5.12, = 5.5.11, = 3.2.2, = 5.5.1, = 5.0.9, = 5.0.14, = 5.5.0, = 5.0.30, = 5.0.29, = 4.1.31, = 3.0, = 5.5.3, = 5.5.22, = 5.5.21, = 5.5.20, = 5.5.2, = 5.0.6, = 5.0.5, = 5.0.2, = 5.0.18, = 5.0.16, = 4.1.29, = 3.3.2, = 3.3.1a, = 5.5.5, = 5.5.15, = 5.5.13, = 5.0.28, = 5.0.27, = 5.0.26, = 5.0.10, = 5.0.0, = 4.1.1, = 4.0.6, = 5.5.24, = 5.0.23, = 5.0.21, = 4.0.3, = 4.0.1, = 3.2.4, = 1.1.3, = 5.5.9, = 5.5.23, = 5.5.19, = 5.5.17, = 5.0.24, = 5.0.13, = 4.1.15, = 4.0.2, = 3.3, = 3.2.3, = 3.1.1, = 5.5.8, = 5.0.17, = 4.1.3, = 4.1.28, = 4.0.0, = 4, = 5.0.25, = 5.0.11, = 5.0.1, = 4.1.10, = 4.1.0, = 4.0.5, = 3.2, = 5.5.16, = 5.0.4, = 5.0.3, = 5.0.12, = 4.1.12, = 3.3.16.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.

= 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0.14, = 6.0.31, = 6.0.12, = 6.0.29, = 6.0.1, = 6.0, = 6.0.9, = 6.0.28, = 6.0.24, = 6.0.17, = 6.0.32, = 6.0.3, = 6.0.10, = 6.0.36, = 6.0.35, = 6.0.2, = 6.0.27, = 6.0.30, = 6.0.8, = 6.0.5, = 6.0.13, = 6.0.16, = 6.0.18, = 6.0.26, = 6.0.19, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.13, = 7.0.17, = 7.0.0, = 7.0.19, = 7.0.16, = 7.0.7, = 7.0.18, = 7.0.15, = 7.0.23, = 7.0.11, = 7.0.25, = 7.0.6, = 7.0.21, = 7.0.14, = 7.0.10, = 7.0.28, = 7.0.9, = 7.0.35 MEDIUM

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.

= 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.15, = 7.0.30, = 7.0.23, = 7.0.11, = 7.0.0, = 7.0.25, = 7.0.13, = 7.0.16, = 7.0.7, = 7.0.6, = 7.0.19, = 7.0.21, = 7.0.18, = 7.0.14, = 7.0.10, = 7.0.28, = 7.0.32, = 7.0.17, = 7.0.3, = 7.0.92.6 LOW

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

= 6.0.33, = 6.0.21, = 6.0.31, = 6.0.29, = 6.0.24, = 6.0.32, = 6.0.28, = 6.0.30, = 6.0.26, = 6.0.35, = 6.0.27, = 6.0.36, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.0, = 7.0.13, = 7.0.15, = 7.0.23, = 7.0.11, = 7.0.16, = 7.0.7, = 7.0.19, = 7.0.6, = 7.0.21, = 7.0.32, = 7.0.28, = 7.0.18, = 7.0.30, = 7.0.14, = 7.0.10, = 7.0.25, = 7.0.3, = 7.0.9, = 7.0.176.8 MEDIUM

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

= 6.0.33, = 6.0.0, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.9, = 6.0, = 6.0.14, = 6.0.29, = 6.0.18, = 6.0.1, = 6.0.32, = 6.0.2, = 6.0.3, = 6.0.12, = 6.0.28, = 6.0.5, = 6.0.24, = 6.0.31, = 6.0.17, = 6.0.10, = 6.0.8, = 6.0.27, = 6.0.13, = 6.0.19, = 6.0.16, = 6.0.30, = 6.0.35, = 6.0.26, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.6, = 7.0.17, = 7.0.14, = 7.0.28, = 7.0.9, = 7.0.13, = 7.0.0, = 7.0.7, = 7.0.19, = 7.0.15, = 7.0.23, = 7.0.25, = 7.0.16, = 7.0.21, = 7.0.18, = 7.0.10, = 7.0.11, = 7.0.34.3 MEDIUM

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

= 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0.9, = 6.0.28, = 6.0.1, = 6.0.32, = 6.0.24, = 6.0.14, = 6.0.29, = 6.0.17, = 6.0.3, = 6.0.10, = 6.0, = 6.0.31, = 6.0.12, = 6.0.8, = 6.0.13, = 6.0.16, = 6.0.27, = 6.0.30, = 6.0.35, = 6.0.2, = 6.0.5, = 6.0.18, = 6.0.26, = 6.0.19, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.23, = 7.0.6, = 7.0.21, = 7.0.17, = 7.0.14, = 7.0.28, = 7.0.13, = 7.0.0, = 7.0.19, = 7.0.16, = 7.0.7, = 7.0.18, = 7.0.15, = 7.0.10, = 7.0.11, = 7.0.25, = 7.0.30, = 7.0.9, = 7.0.34.3 MEDIUM

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.

= 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0.9, = 6.0.14, = 6.0.29, = 6.0.1, = 6.0.3, = 6.0.12, = 6.0.32, = 6.0.17, = 6.0.10, = 6.0, = 6.0.28, = 6.0.24, = 6.0.31, = 6.0.8, = 6.0.2, = 6.0.27, = 6.0.13, = 6.0.19, = 6.0.16, = 6.0.18, = 6.0.26, = 6.0.30, = 6.0.35, = 6.0.5, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.6, = 7.0.21, = 7.0.17, = 7.0.14, = 7.0.23, = 7.0.0, = 7.0.16, = 7.0.7, = 7.0.18, = 7.0.15, = 7.0.10, = 7.0.11, = 7.0.25, = 7.0.13, = 7.0.19, = 7.0.9, = 7.0.32.6 LOW

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.

>= 7.0.0, <= 7.0.1055 MEDIUM

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.0, = 5.5.25, = 5.5.33, = 5.5.15, = 5.5.3, = 5.5.22, = 5.5.2, = 5.5.35, = 5.5.30, = 5.5.9, = 5.5.31, = 5.5.21, = 5.5.6, = 5.5.26, = 5.5.28, = 5.5.5, = 5.5.32, = 5.5.20, = 5.5.8, = 5.5.29, = 5.5.17, = 5.5.24, = 5.5.19, = 5.5.34, = 5.5.16, = 5.5.13, = 5.5.23, = 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0.9, = 6.0.1, = 6.0.32, = 6.0.24, = 6.0.17, = 6.0.10, = 6.0.28, = 6.0.31, = 6.0, = 6.0.14, = 6.0.29, = 6.0.3, = 6.0.12, = 6.0.8, = 6.0.18, = 6.0.19, = 6.0.16, = 6.0.26, = 6.0.2, = 6.0.5, = 6.0.13, = 6.0.35, = 6.0.30, = 6.0.27, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.18, = 7.0.15, = 7.0.11, = 7.0.25, = 7.0.16, = 7.0.6, = 7.0.21, = 7.0.14, = 7.0.10, = 7.0.28, = 7.0.23, = 7.0.0, = 7.0.7, = 7.0.19, = 7.0.13, = 7.0.17, = 7.0.9, = 7.0.35 MEDIUM

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.30, = 5.5.0, = 5.5.33, = 5.5.31, = 5.5.3, = 5.5.2, = 5.5.9, = 5.5.20, = 5.5.21, = 5.5.25, = 5.5.15, = 5.5.22, = 5.5.35, = 5.5.28, = 5.5.6, = 5.5.5, = 5.5.26, = 5.5.32, = 5.5.8, = 5.5.17, = 5.5.24, = 5.5.19, = 5.5.29, = 5.5.34, = 5.5.23, = 5.5.16, = 5.5.13, = 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0, = 6.0.14, = 6.0.29, = 6.0.1, = 6.0.17, = 6.0.3, = 6.0.10, = 6.0.9, = 6.0.28, = 6.0.32, = 6.0.24, = 6.0.31, = 6.0.12, = 6.0.18, = 6.0.26, = 6.0.2, = 6.0.19, = 6.0.27, = 6.0.8, = 6.0.13, = 6.0.16, = 6.0.35, = 6.0.30, = 6.0.5, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.21, = 7.0.18, = 7.0.14, = 7.0.10, = 7.0.25, = 7.0.28, = 7.0.6, = 7.0.17, = 7.0.9, = 7.0.15, = 7.0.23, = 7.0.11, = 7.0.0, = 7.0.16, = 7.0.7, = 7.0.13, = 7.0.19, = 7.0.35 MEDIUM

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.28, = 5.5.5, = 5.5.25, = 5.5.6, = 5.5.15, = 5.5.22, = 5.5.26, = 5.5.32, = 5.5.20, = 5.5.9, = 5.5.31, = 5.5.21, = 5.5.30, = 5.5.0, = 5.5.33, = 5.5.3, = 5.5.2, = 5.5.35, = 5.5.13, = 5.5.34, = 5.5.16, = 5.5.23, = 5.5.8, = 5.5.29, = 5.5.19, = 5.5.17, = 5.5.24, = 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0.9, = 6.0.28, = 6.0.24, = 6.0, = 6.0.1, = 6.0.31, = 6.0.12, = 6.0.14, = 6.0.29, = 6.0.17, = 6.0.3, = 6.0.10, = 6.0.32, = 6.0.8, = 6.0.2, = 6.0.5, = 6.0.13, = 6.0.35, = 6.0.30, = 6.0.27, = 6.0.26, = 6.0.18, = 6.0.19, = 6.0.16, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.23, = 7.0.0, = 7.0.7, = 7.0.19, = 7.0.13, = 7.0.9, = 7.0.6, = 7.0.21, = 7.0.17, = 7.0.14, = 7.0.28, = 7.0.18, = 7.0.15, = 7.0.10, = 7.0.11, = 7.0.25, = 7.0.16, = 7.0.3, >= 5.5.0, < 5.5.36, >= 6.0.0, < 6.0.36, >= 7.0.0, < 7.0.305 MEDIUM

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

= 6.0.33, = 6.0.0, = 6.0.6, = 6.0.4, = 6.0.11, = 6.0.7, = 6.0.15, = 6.0.20, = 6.0.17, = 6.0.10, = 6.0, = 6.0.14, = 6.0.29, = 6.0.1, = 6.0.3, = 6.0.12, = 6.0.9, = 6.0.32, = 6.0.28, = 6.0.24, = 6.0.31, = 6.0.2, = 6.0.26, = 6.0.27, = 6.0.8, = 6.0.18, = 6.0.13, = 6.0.19, = 6.0.16, = 6.0.30, = 6.0.5, = 6.0.35, = 7.0.2, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.5, = 7.0.4, = 7.0.22, = 7.0.6, = 7.0.21, = 7.0.18, = 7.0.14, = 7.0.10, = 7.0.13, = 7.0.17, = 7.0.0, = 7.0.9, = 7.0.15, = 7.0.23, = 7.0.11, = 7.0.25, = 7.0.16, = 7.0.7, = 7.0.19, = 7.0.35 MEDIUM

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.5, = 5.5.30, = 5.5.9, = 5.5.15, = 5.5.3, = 5.5.22, = 5.5.2, = 5.5.33, = 5.5.32, = 5.5.20, = 5.5.0, = 5.5.25, = 5.5.6, = 5.5.13, = 5.5.26, = 5.5.28, = 5.5.31, = 5.5.21, = 5.5.8, = 5.5.17, = 5.5.16, = 5.5.23, = 5.5.34, = 5.5.29, = 5.5.24, = 5.5.19, = 6.0.33, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.0, = 6.0.5, = 6.0.24, = 6.0.13, = 6.0.30, = 6.0.28, = 6.0.17, = 6.0.3, = 6.0.26, = 6.0.9, = 6.0.29, = 6.0.12, = 6.0, = 6.0.14, = 6.0.18, = 6.0.1, = 6.0.2, = 6.0.32, = 6.0.8, = 6.0.27, = 6.0.19, = 6.0.16, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.22, = 7.0.0, = 7.0.6, = 7.0.4, = 7.0.21, = 7.0.18, = 7.0.10, = 7.0.7, = 7.0.9, = 7.0.14, = 7.0.3, = 7.0.15, = 7.0.17, = 7.0.11, = 7.0.13, = 7.0.16, = 7.0.195 MEDIUM

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

= 6.0.33, = 6.0.31, = 6.0.32, = 6.0.30, = 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.18, = 7.0.15, = 7.0.14, = 7.0.21, = 7.0.13, = 7.0.11, = 7.0.4, = 7.0.3, = 7.0.19, = 7.0.10, = 7.0.9, = 7.0.17, = 7.0.16, = 7.0.75 MEDIUM

Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.28, = 5.5.5, = 5.5.13, = 5.5.32, = 5.5.20, = 5.5.30, = 5.5.33, = 5.5.3, = 5.5.22, = 5.5.2, = 5.5.0, = 5.5.25, = 5.5.6, = 5.5.15, = 5.5.26, = 5.5.9, = 5.5.31, = 5.5.21, = 5.5.8, = 5.5.17, = 5.5.24, = 5.5.16, = 5.5.23, = 5.5.29, = 5.5.19, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.29, = 6.0, = 6.0.14, = 6.0.17, = 6.0.18, = 6.0.2, = 6.0.32, = 6.0.19, = 6.0.9, = 6.0.12, = 6.0.30, = 6.0.28, = 6.0.3, = 6.0.26, = 6.0.1, = 6.0.0, = 6.0.5, = 6.0.24, = 6.0.13, = 6.0.8, = 6.0.27, = 6.0.16, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.11, = 7.0.7, = 7.0.3, = 7.0.10, = 7.0.9, = 7.0.45 MEDIUM

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.6, = 5.5.5, = 5.5.13, = 5.5.26, = 5.5.32, = 5.5.28, = 5.5.20, = 5.5.21, = 5.5.0, = 5.5.25, = 5.5.33, = 5.5.15, = 5.5.22, = 5.5.30, = 5.5.9, = 5.5.31, = 5.5.3, = 5.5.2, = 5.5.16, = 5.5.29, = 5.5.23, = 5.5.8, = 5.5.17, = 5.5.24, = 5.5.19, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.29, = 6.0.30, = 6.0, = 6.0.28, = 6.0.17, = 6.0.18, = 6.0.14, = 6.0.1, = 6.0.0, = 6.0.32, = 6.0.24, = 6.0.19, = 6.0.9, = 6.0.3, = 6.0.12, = 6.0.26, = 6.0.2, = 6.0.5, = 6.0.13, = 6.0.16, = 6.0.27, = 6.0.8, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.11, = 7.0.7, = 7.0.4, = 7.0.10, = 7.0.9, = 7.0.34.3 MEDIUM

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.25, = 5.5.6, = 5.5.13, = 5.5.26, = 5.5.28, = 5.5.5, = 5.5.32, = 5.5.20, = 5.5.9, = 5.5.31, = 5.5.21, = 5.5.0, = 5.5.33, = 5.5.15, = 5.5.3, = 5.5.22, = 5.5.2, = 5.5.30, = 5.5.16, = 5.5.23, = 5.5.29, = 5.5.24, = 5.5.19, = 5.5.8, = 5.5.17, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.29, = 6.0.28, = 6.0.3, = 6.0.12, = 6.0.30, = 6.0, = 6.0.17, = 6.0.18, = 6.0.26, = 6.0.2, = 6.0.19, = 6.0.14, = 6.0.1, = 6.0.0, = 6.0.32, = 6.0.24, = 6.0.9, = 6.0.5, = 6.0.13, = 6.0.27, = 6.0.16, = 6.0.8, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.11, = 7.0.7, = 7.0.10, = 7.0.9, = 7.0.4, = 7.0.34.3 MEDIUM

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.30, = 5.5.0, = 5.5.33, = 5.5.15, = 5.5.3, = 5.5.22, = 5.5.2, = 5.5.28, = 5.5.32, = 5.5.20, = 5.5.9, = 5.5.31, = 5.5.21, = 5.5.25, = 5.5.6, = 5.5.5, = 5.5.13, = 5.5.26, = 5.5.8, = 5.5.29, = 5.5.17, = 5.5.24, = 5.5.19, = 5.5.16, = 5.5.23, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.29, = 6.0.9, = 6.0.12, = 6.0.14, = 6.0.18, = 6.0.1, = 6.0.2, = 6.0.32, = 6.0.19, = 6.0.0, = 6.0.5, = 6.0.24, = 6.0.13, = 6.0.30, = 6.0, = 6.0.28, = 6.0.17, = 6.0.3, = 6.0.26, = 6.0.27, = 6.0.16, = 6.0.8, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.11, = 7.0.7, = 7.0.3, = 7.0.4, = 7.0.10, = 7.0.95 MEDIUM

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

= 6.0.33, = 7.0.12, = 6.0.6, = 7.0.20, = 6.0.11, = 6.0.34, = 7.0.8, = 7.0.1, = 7.0.2, = 6.0.25, = 6.0.29, = 6.0.21, = 6.0.20, = 6.0.4, = 7.0.18, = 7.0.11, = 5.5.35, = 6.0.10, = 7.0.0, = 7.0.14, = 7.0.6, = 6.0.31, = 6.0.22, = 6.0.15, = 6.0.7, = 7.0.22, = 7.0.5, = 6.0.26, = 6.0.30, = 6.0.13, = 6.0.12, = 6.0.5, = 7.0.19, = 7.0.10, = 7.0.3, = 6.0.28, = 6.0.27, = 6.0.19, = 6.0.18, = 6.0.3, = 6.0.2, = 7.0.17, = 7.0.16, = 7.0.9, = 6.0.17, = 6.0.16, = 6.0.9, = 6.0.8, = 6.0.1, = 6.0.0, = 7.0.15, = 7.0.7, = 6.0.32, = 6.0.24, = 6.0.23, = 6.0.14, = 7.0.21, = 7.0.13, = 7.0.45 MEDIUM

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

= 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.18, = 7.0.7, = 7.0.17, = 7.0.15, = 7.0.9, = 7.0.10, = 7.0.11, = 7.0.19, = 7.0.14, = 7.0.16, = 7.0.3, = 7.0.4, = 7.0.13, = 7.0.214.4 MEDIUM

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

= 7.0.12, = 7.0.20, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.14, = 7.0.4, = 7.0.13, = 7.0.10, = 7.0.3, = 7.0.16, = 7.0.7, = 7.0.9, = 7.0.11, = 7.0.17, = 7.0.19, = 6.0.33, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.30, = 6.0, = 6.0.28, = 6.0.17, = 6.0.3, = 6.0.2, = 6.0.14, = 6.0.18, = 6.0.1, = 6.0.26, = 6.0.13, = 6.0.9, = 6.0.29, = 6.0.0, = 6.0.5, = 6.0.24, = 6.0.32, = 6.0.12, = 6.0.19, = 6.0.16, = 6.0.27, = 6.0.8, = 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.25, = 5.5.6, = 5.5.13, = 5.5.26, = 5.5.28, = 5.5.5, = 5.5.32, = 5.5.20, = 5.5.30, = 5.5.0, = 5.5.33, = 5.5.15, = 5.5.3, = 5.5.22, = 5.5.2, = 5.5.9, = 5.5.31, = 5.5.21, = 5.5.16, = 5.5.23, = 5.5.8, = 5.5.29, = 5.5.17, = 5.5.24, = 5.5.197.5 HIGH

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

= 5.5.32, = 5.5.33, = 6.0.30, = 6.0.31, = 6.0.32, = 7.0.0, = 7.0.1, = 7.0.2, = 7.0.3, = 7.0.4, = 7.0.5, = 7.0.6, = 7.0.7, = 7.0.8, = 7.0.9, = 7.0.10, = 7.0.11, = 7.0.12, = 7.0.13, = 7.0.14, = 7.0.16, = 7.0.17, = 7.0.195 MEDIUM

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

= 7.0.12, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.14, = 7.0.11, = 7.0.13, = 7.0.3, = 7.0.7, = 7.0.9, = 7.0.10, = 7.0.44.6 MEDIUM

Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.30, = 5.5.9, = 5.5.3, = 5.5.2, = 5.5.0, = 5.5.25, = 5.5.33, = 5.5.15, = 5.5.22, = 5.5.28, = 5.5.31, = 5.5.20, = 5.5.21, = 5.5.6, = 5.5.5, = 5.5.13, = 5.5.26, = 5.5.32, = 5.5.8, = 5.5.17, = 5.5.24, = 5.5.19, = 5.5.16, = 5.5.23, = 5.5.29, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.29, = 6.0.30, = 6.0.28, = 6.0.3, = 6.0.1, = 6.0.0, = 6.0.32, = 6.0.24, = 6.0.9, = 6.0.5, = 6.0.13, = 6.0.12, = 6.0, = 6.0.14, = 6.0.17, = 6.0.18, = 6.0.26, = 6.0.2, = 6.0.19, = 6.0.27, = 6.0.16, = 6.0.8, = 7.0.12, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.14, = 7.0.11, = 7.0.4, = 7.0.17, = 7.0.10, = 7.0.7, = 7.0.3, = 7.0.94.4 MEDIUM

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.30, = 5.5.6, = 5.5.5, = 5.5.13, = 5.5.26, = 5.5.32, = 5.5.0, = 5.5.25, = 5.5.33, = 5.5.15, = 5.5.22, = 5.5.9, = 5.5.31, = 5.5.3, = 5.5.2, = 5.5.28, = 5.5.20, = 5.5.21, = 5.5.16, = 5.5.23, = 5.5.8, = 5.5.17, = 5.5.24, = 5.5.19, = 5.5.29, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.31, = 6.0.29, = 6.0.30, = 6.0, = 6.0.17, = 6.0.18, = 6.0.26, = 6.0.2, = 6.0.9, = 6.0.28, = 6.0.3, = 6.0.12, = 6.0.5, = 6.0.13, = 6.0.14, = 6.0.1, = 6.0.0, = 6.0.32, = 6.0.24, = 6.0.19, = 6.0.27, = 6.0.8, = 6.0.16, = 7.0.12, = 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.14, = 7.0.11, = 7.0.9, = 7.0.10, = 7.0.7, = 7.0.3, = 7.0.41.9 LOW

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

= 7.0.12, = 7.0.134.3 MEDIUM

Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.

= 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.11, = 7.0.7, = 7.0.10, = 7.0.9, = 7.0.3, = 7.0.45 MEDIUM

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."

= 7.0.115.8 MEDIUM

Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.

= 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.7, = 7.0.10, = 7.0.4, = 7.0.9, = 7.0.35.8 MEDIUM

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

= 7.0.8, = 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.7, = 7.0.9, = 7.0.3, = 7.0.45.8 MEDIUM

Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.

= 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.4, = 7.0.3, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.29, = 6.0.3, = 6.0, = 6.0.14, = 6.0.28, = 6.0.16, = 6.0.13, = 6.0.12, = 6.0.9, = 6.0.17, = 6.0.18, = 6.0.1, = 6.0.0, = 6.0.24, = 6.0.2, = 6.0.8, = 6.0.27, = 6.0.26, = 6.0.5, = 6.0.19, = 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.3, = 5.5.22, = 5.5.31, = 5.5.25, = 5.5.28, = 5.5.9, = 5.5.8, = 5.5.15, = 5.5.13, = 5.5.20, = 5.5.0, = 5.5.5, = 5.5.24, = 5.5.2, = 5.5.30, = 5.5.26, = 5.5.6, = 5.5.21, = 5.5.17, = 5.5.16, = 5.5.23, = 5.5.29, = 5.5.194.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

= 7.0.1, = 7.0.2, = 7.0.5, = 7.0.0, = 7.0.6, = 7.0.4, = 7.0.3, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.29, = 6.0.3, = 6.0.14, = 6.0.17, = 6.0.18, = 6.0.26, = 6.0.13, = 6.0.16, = 6.0.30, = 6.0.1, = 6.0.0, = 6.0.5, = 6.0.24, = 6.0.12, = 6.0.28, = 6.0.2, = 6.0.19, = 6.0.8, = 6.0.9, = 6.0.275 MEDIUM

Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.

= 7.0.1, = 7.0.2, = 7.0.0, = 7.0.3, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.29, = 6.0.3, = 6.0.14, = 6.0.17, = 6.0.16, = 6.0.1, = 6.0.12, = 6.0.18, = 6.0.27, = 6.0.0, = 6.0.5, = 6.0.19, = 6.0, = 6.0.28, = 6.0.2, = 6.0.13, = 6.0.8, = 6.0.9, = 6.0.26, = 6.0.24, = 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.25, = 5.5.9, = 5.5.15, = 5.5.22, = 5.5.28, = 5.5.8, = 5.5.13, = 5.5.20, = 5.5.21, = 5.5.24, = 5.5.3, = 5.5.32, = 5.5.30, = 5.5.26, = 5.5.0, = 5.5.6, = 5.5.5, = 5.5.2, = 5.5.16, = 5.5.23, = 5.5.29, = 5.5.17, = 5.5.191.2 LOW

Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.

= 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.29, = 6.0.3, = 6.0, = 6.0.28, = 6.0.17, = 6.0.18, = 6.0.2, = 6.0.26, = 6.0.19, = 6.0.16, = 6.0.14, = 6.0.1, = 6.0.0, = 6.0.13, = 6.0.24, = 6.0.9, = 6.0.8, = 6.0.5, = 6.0.27, = 6.0.126.4 MEDIUM

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

= 7.0.1, = 7.0.2, = 6.0.15, = 7.0.0, = 6.0.20, = 6.0.29, = 6.0.24, = 6.0.17, = 6.0.12, = 6.0.26, = 7.0.3, = 6.0.28, = 7.0.4, = 6.0.27, = 6.0.16, = 6.0.13, = 6.0.14, = 6.0.19, = 6.0.184.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.

<= 4.1.394.3 MEDIUM

Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.9, = 5.5.17, = 5.5.3, = 5.5.22, = 5.5.0, = 5.5.8, = 5.5.15, = 5.5.16, = 5.5.13, = 5.5.26, = 5.5.25, = 5.5.6, = 5.5.5, = 5.5.20, = 5.5.21, = 5.5.28, = 5.5.24, = 5.5.2, = 5.5.23, = 5.5.29, = 5.5.19, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.3, = 6.0.9, = 6.0.18, = 6.0.1, = 6.0.0, = 6.0.12, = 6.0.14, = 6.0.5, = 6.0.8, = 6.0.2, = 6.0.19, = 6.0.16, = 6.0.17, = 6.0.13, = 6.0.24, = 6.0.26, = 6.0.27, = 7.0.06.4 MEDIUM

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

= 5.5.27, = 5.5.18, = 5.5.12, = 5.5.14, = 5.5.10, = 5.5.4, = 5.5.7, = 5.5.1, = 5.5.11, = 5.5.25, = 5.5.26, = 5.5.6, = 5.5.13, = 5.5.2, = 5.5.20, = 5.5.28, = 5.5.8, = 5.5.9, = 5.5.0, = 5.5.16, = 5.5.17, = 5.5.24, = 5.5.5, = 5.5.15, = 5.5.21, = 5.5.22, = 5.5.3, = 5.5.19, = 5.5.23, = 5.5.29, = 6.0.6, = 6.0.11, = 6.0.7, = 6.0.4, = 6.0.15, = 6.0.20, = 6.0.10, = 6.0.3, = 6.0.9, = 6.0.12, = 6.0.13, = 6.0.2, = 6.0.14, = 6.0.24, = 6.0.26, = 6.0.18, = 6.0.19, = 6.0.5, = 6.0.8, = 6.0.0, = 6.0.1, = 6.0.16, = 6.0.172.6 LOW

Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.