Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
tomcat.apache.org vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2018-11759
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed ...
Apache Tomcat Jk Connector
Debian Debian Linux 8.0
Debian Debian Linux 9.0
Redhat Jboss Core Services -
4 Github repositories
4.8
CVSSv3
CVE-2019-17569
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomca...
Apache Tomcat
Apache Tomee 7.0.7
Opensuse Leap 15.1
Netapp Data Availability Services -
Netapp Oncommand System Manager
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Oracle Agile Engineering Data Management 6.2.1.0
Oracle Agile Plm 9.3.3
Oracle Agile Plm 9.3.5
Oracle Agile Plm 9.3.6
Oracle Communications Instant Messaging Server 10.0.1.4.0
4.8
CVSSv3
CVE-2020-1935
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located be...
Apache Tomcat
Apache Tomcat 9.0.0
Debian Debian Linux 8.0
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Canonical Ubuntu Linux 16.04
Opensuse Leap 15.1
Netapp Data Availability Services -
Netapp Oncommand System Manager
Oracle Agile Engineering Data Management 6.2.1.0
Oracle Agile Product Lifecycle Management 9.3.3
Oracle Agile Product Lifecycle Management 9.3.5
7.5
CVSSv3
CVE-2019-10072
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause serve...
Apache Tomcat
Apache Tomcat 9.0.0
1 Article
9.8
CVSSv3
CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp...
Apache Geode 1.12.0
Apache Tomcat
Fedoraproject Fedora 30
Fedoraproject Fedora 31
Fedoraproject Fedora 32
Oracle Agile Engineering Data Management 6.2.1.0
Oracle Agile Plm 9.3.3
Oracle Agile Plm 9.3.5
Oracle Agile Plm 9.3.6
Oracle Communications Element Manager 8.1.1
Oracle Communications Element Manager 8.2.0
Oracle Communications Element Manager 8.2.1
48 Github repositories
1 Article
7.5
CVSSv3
CVE-2019-17563
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the si...
Apache Tomcat
Debian Debian Linux 8.0
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Opensuse Leap 15.1
Canonical Ubuntu Linux 16.04
Oracle Agile Engineering Data Management 6.2.1.0
Oracle Hyperion Infrastructure Technology 11.1.2.4
Oracle Instantis Enterprisetrack
Oracle Micros Relate Crm Software 11.4
Oracle Mysql Enterprise Monitor
Oracle Retail Order Broker 15.0
7
CVSSv3
CVE-2019-12418
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack...
Apache Tomcat
Debian Debian Linux 8.0
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Oracle Workload Manager 12.2.0.1
Oracle Workload Manager 18c
Oracle Workload Manager 19c
Canonical Ubuntu Linux 16.04
Opensuse Leap 15.1
Netapp Oncommand System Manager
4.3
CVSSv2
CVE-2007-2449
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 up to and including 4.0.6, 4.1.0 up to and including 4.1.36, 5.0.0 up to and including 5.0.30, 5.5.0 up to and including 5.5.24, and 6.0.0 up to and inc...
Apache Tomcat
Apache Tomcat 4.0.0
Apache Tomcat 4.0.1
Apache Tomcat 4.0.2
Apache Tomcat 4.0.3
Apache Tomcat 4.0.4
Apache Tomcat 4.0.5
Apache Tomcat 5.0.0
Apache Tomcat 5.0.1
Apache Tomcat 5.0.2
Apache Tomcat 5.0.3
Apache Tomcat 5.0.4
1 EDB exploit
5
CVSSv2
CVE-2008-5515
Apache Tomcat 4.1.0 up to and including 4.1.39, 5.5.0 up to and including 5.5.27, 6.0.0 up to and including 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote maliciou...
Apache Tomcat 4.1.0
Apache Tomcat 4.1.1
Apache Tomcat 4.1.2
Apache Tomcat 4.1.3
Apache Tomcat 4.1.10
Apache Tomcat 4.1.11
Apache Tomcat 4.1.12
Apache Tomcat 4.1.13
Apache Tomcat 4.1.14
Apache Tomcat 4.1.15
Apache Tomcat 4.1.16
Apache Tomcat 4.1.17
4.3
CVSSv2
CVE-2009-0781
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 up to and including 4.1.39, 5.5.0 up to and including 5.5.27, and 6.0.0 up to and including 6.0.18 allows remote malicious users to inje...
Apache Tomcat 4.1.0
Apache Tomcat 4.1.1
Apache Tomcat 4.1.2
Apache Tomcat 4.1.3
Apache Tomcat 4.1.4
Apache Tomcat 4.1.5
Apache Tomcat 4.1.6
Apache Tomcat 4.1.7
Apache Tomcat 4.1.8
Apache Tomcat 4.1.9
Apache Tomcat 4.1.10
Apache Tomcat 4.1.11
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
CVE-2025-0998
CVE-2025-26779
unknown
CVE-2025-1094
CVE-2025-1336
enituretechnology
unauthorized
CVE-2024-57970
s2member pro
oliver pos – a woocommerce point of sale (pos)
CVE-2024-40591
race condition
deserialization
Home
/
Search Results
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »