Search CVE reports
51 – 60 of 158 results
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that...
6 affected packages
tomcat9, tomcat6, tomcat7, tomcat8, tomcat10, tomcat11
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat9 | Needs evaluation | Needs evaluation | Needs evaluation | Ignored | Ignored |
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| tomcat8 | Not in release | Not in release | Not in release | Not in release | Ignored |
| tomcat10 | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
| tomcat11 | Needs evaluation | Not in release | Not in release | Not in release | Not in release |
Some fixes available 9 of 16
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to...
6 affected packages
tomcat10, tomcat8, tomcat9, tomcat6, tomcat7, tomcat11
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat10 | Not affected | Not affected | Not in release | Not in release | Not in release |
| tomcat8 | — | — | Not in release | Not in release | Fixed |
| tomcat9 | Fixed | Fixed | Fixed | Fixed | Fixed |
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| tomcat11 | Needs evaluation | Not in release | Not in release | Not in release | Not in release |
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was...
5 affected packages
tomcat9, tomcat8, tomcat6, tomcat7, tomcat10
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat9 | Not affected | Not affected | Vulnerable | Not affected | Not affected |
| tomcat8 | — | — | Not in release | Not in release | Not affected |
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| tomcat10 | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
Some fixes available 4 of 9
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not...
5 affected packages
tomcat6, tomcat7, tomcat8, tomcat9, tomcat10
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat6 | — | — | Not in release | Not in release | Not in release |
| tomcat7 | — | — | Not in release | Not in release | Not affected |
| tomcat8 | — | — | Not in release | Not in release | Fixed |
| tomcat9 | Not affected | Not affected | Fixed | Fixed | Fixed |
| tomcat10 | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0...
4 affected packages
tomcat9, tomcat6, tomcat7, tomcat8
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat9 | Not affected | Not affected | Vulnerable | Vulnerable | Vulnerable |
| tomcat6 | — | — | Not in release | Not in release | Not in release |
| tomcat7 | — | — | Not in release | Not in release | Ignored |
| tomcat8 | — | — | Not in release | Not in release | Vulnerable |
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS...
5 affected packages
tomcat6, tomcat7, tomcat8, tomcat9, tomcat10
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| tomcat8 | Not in release | Not in release | Not in release | Not in release | Not affected |
| tomcat9 | Not affected | Not affected | Vulnerable | Vulnerable | Not affected |
| tomcat10 | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
Some fixes available 4 of 8
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network....
5 affected packages
tomcat9, tomcat8, tomcat6, tomcat7, tomcat10
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat9 | Not affected | Not affected | Fixed | Fixed | Fixed |
| tomcat8 | — | — | — | — | Fixed |
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Ignored |
| tomcat10 | Needs evaluation | Needs evaluation | Not in release | Not in release | Not in release |
Some fixes available 3 of 8
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be...
4 affected packages
tomcat6, tomcat7, tomcat8, tomcat9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat6 | — | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | — | Not in release | Not in release | Not in release | Not affected |
| tomcat8 | — | Not in release | Not in release | Not in release | Fixed |
| tomcat9 | — | Not affected | Not affected | Fixed | Fixed |
Some fixes available 2 of 16
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a...
4 affected packages
tomcat6, tomcat7, tomcat8, tomcat9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
| tomcat9 | Not affected | Not affected | Not affected | Fixed | Fixed |
Some fixes available 2 of 16
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat...
4 affected packages
tomcat6, tomcat7, tomcat8, tomcat9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Not in release |
| tomcat7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
| tomcat9 | Not affected | Not affected | Not affected | Fixed | Fixed |