org.apache.tomcat:tomcat
Maven158 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.tomcat:tomcatpage 1 of 4
- CVE-2000-0759NONECVSS 0.0EG 0.02000-10-20
Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.
- CVE-2000-1210NONECVSS 0.0EG 0.02002-03-22
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
- CVE-2001-0829NONECVSS 0.0EG 0.02001-12-06
A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.
- CVE-2001-0917NONECVSS 0.0EG 0.0✓ Fixed in 4.0.22001-11-22
Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension.
- CVE-2002-0493NONECVSS 0.0EG 0.0✓ Fixed in 4.0b72002-08-12
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
- CVE-2002-0935NONECVSS 0.0EG 0.0✓ Fixed in 4.1.3-beta2002-10-04
Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working thre…
- CVE-2002-1148NONECVSS 0.0EG 0.0✓ Fixed in 4.1.122002-10-11
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
- CVE-2002-1394NONECVSS 0.0EG 0.0✓ Fixed in 4.0.62003-01-17
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.
- CVE-2002-1567NONECVSS 0.0EG 0.0✓ Fixed in 4.1.292003-10-06
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1 allows remote attackers to execute arbitrary web script and steal cookies via a URL with encoded newlines followed by a request to a .jsp file whose name contains the script.
- CVE-2002-2006NONECVSS 0.0EG 0.0✓ Fixed in 3.3a2002-12-31
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
- CVE-2002-2008NONECVSS 0.0EG 0.0✓ Fixed in 4.1.32002-12-31
Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message.
- CVE-2002-2009NONECVSS 0.0EG 0.02002-12-31
Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.
- CVE-2002-2272NONECVSS 0.0EG 0.02002-12-31
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with inv…
- CVE-2003-0042NONECVSS 0.0EG 0.0✓ Fixed in 3.3.1a2003-02-07
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null cha…
- CVE-2003-0043NONECVSS 0.0EG 0.0✓ Fixed in 3.3.1a2003-02-07
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
- CVE-2003-0044NONECVSS 0.0EG 0.0✓ Fixed in 3.3.22003-02-07
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
- CVE-2003-0045NONECVSS 0.0EG 0.0✓ Fixed in 3.3.1a2003-02-07
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
- CVE-2003-0866NONECVSS 0.0EG 0.0✓ Fixed in 4.1.02003-11-17
The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later request…
- CVE-2005-2090NONECVSS 0.0EG 0.02005-07-05
Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chun…
- CVE-2005-3164NONECVSS 0.0EG 0.02005-10-06
The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a PO…
- CVE-2005-3510NONECVSS 0.0EG 0.0✓ Fixed in 5.5.122005-11-06
Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files.
- CVE-2005-4703NONECVSS 0.0EG 0.02005-12-31
Apache Tomcat 4.0.3, when running on Windows, allows remote attackers to obtain sensitive information via a request for a file that contains an MS-DOS device name such as lpt9, which leaks the pathname in an error message, as demonstrated …
- CVE-2005-4836NONECVSS 0.0EG 0.02005-12-31
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.
- CVE-2006-3835NONECVSS 0.0EG 0.0✓ Fixed in 5.5.172006-07-25
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.
- CVE-2006-7195NONECVSS 0.0EG 0.0✓ Fixed in 5.5.182007-05-10
Cross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via certain header values.
- CVE-2006-7196NONECVSS 0.0EG 0.0✓ Fixed in 5.5.162007-05-10
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script …
- CVE-2006-7197NONECVSS 0.0EG 0.02007-04-25
The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions of sensitive memory.
- CVE-2007-0450NONECVSS 0.0EG 9.0✓ Fixed in 6.0.102007-03-16
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot do…
- CVE-2007-1358NONECVSS 0.0EG 0.02007-05-10
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do n…
- CVE-2007-2449NONECVSS 0.0EG 0.02007-06-14
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow…
- CVE-2007-2450NONECVSS 0.0EG 0.0✓ Fixed in 6.0.142007-06-14
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 a…
- CVE-2007-3382NONECVSS 0.0EG 0.02007-08-14
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remo…
- CVE-2007-3383NONECVSS 0.0EG 0.02007-07-25
Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web scri…
- CVE-2007-3384NONECVSS 0.0EG 0.02007-08-08
Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error me…
- CVE-2007-3385NONECVSS 0.0EG 0.02007-08-14
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leak…
- CVE-2007-4724NONECVSS 0.0EG 0.02007-09-05
Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters.
- CVE-2007-5333NONECVSS 0.0EG 0.0✓ Fixed in 4.1.372008-02-12
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information…
- CVE-2007-5461NONECVSS 0.0EG 0.02007-10-15
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV …
- CVE-2007-6286NONECVSS 0.0EG 0.02008-02-12
Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one o…
- CVE-2008-0002NONECVSS 0.0EG 0.0✓ Fixed in 6.0.162008-02-12
Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by discon…
- CVE-2008-1232NONECVSS 0.0EG 0.0✓ Fixed in 6.0.172008-08-04
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message …
- CVE-2008-1947NONECVSS 0.0EG 0.0✓ Fixed in 6.0.182008-06-04
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html…
- CVE-2008-2370NONECVSS 0.0EG 9.0✓ Fixed in 6.0.182008-08-04
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct direc…
- CVE-2008-2938NONECVSS 0.0EG 9.0✓ Fixed in 6.0.182008-08-13
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory travers…
- CVE-2008-4308NONECVSS 0.0EG 0.0✓ Fixed in 5.5.212009-02-26
The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different re…
- CVE-2008-5515NONECVSS 0.0EG 0.0✓ Fixed in 6.0.202009-06-16
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote att…
- CVE-2009-0033NONECVSS 0.0EG 0.02009-06-05
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted req…
- CVE-2009-0580NONECVSS 0.0EG 9.0✓ Fixed in 6.0.192009-06-05
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of pas…
- CVE-2009-0781NONECVSS 0.0EG 0.0✓ Fixed in 6.0.202009-03-09
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to injec…
- CVE-2009-0783MEDIUMCVSS 4.2EG 4.2✓ Fixed in 6.0.202009-06-05
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.x…
Check whether org.apache.tomcat:tomcat is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.tomcat:tomcat CVEs against the assets you own.
Start Free Scan →