Search CVE reports
31 – 40 of 118 results
CVE-2019-17569
Low priorityThe refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading...
3 affected packages
tomcat7, tomcat8, tomcat9
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | — | — | — | Not affected | Not affected |
tomcat8 | — | — | — | Not affected | Not affected |
tomcat9 | — | — | — | Not affected | Not in release |
CVE-2019-12418
Medium prioritySome fixes available 1 of 8
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the...
3 affected packages
tomcat7, tomcat8, tomcat9
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
tomcat8 | Not in release | Not in release | Not in release | Needs evaluation | Fixed |
tomcat9 | Not affected | Not affected | Not affected | Needs evaluation | Not in release |
CVE-2019-17563
Low prioritySome fixes available 1 of 8
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow...
3 affected packages
tomcat7, tomcat8, tomcat9
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | Not in release | Not in release | Not in release | Needs evaluation | Needs evaluation |
tomcat8 | Not in release | Not in release | Not in release | Needs evaluation | Fixed |
tomcat9 | Not affected | Not affected | Not affected | Needs evaluation | Not in release |
CVE-2019-0221
Low prioritySome fixes available 7 of 10
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command...
3 affected packages
tomcat7, tomcat8, tomcat9
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | Not in release | Not in release | Not in release | Fixed | Fixed |
tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
tomcat9 | Not affected | Not affected | Not affected | Fixed | Not in release |
CVE-2019-0232
Low priorityWhen running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes...
3 affected packages
tomcat7, tomcat8, tomcat9
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | — | — | — | Not affected | Not affected |
tomcat8 | — | — | — | Not affected | Not affected |
tomcat9 | — | — | — | Not affected | Not in release |
CVE-2018-11784
Medium prioritySome fixes available 4 of 9
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL...
4 affected packages
tomcat6, tomcat7, tomcat8, tomcat8.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat6 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
tomcat7 | Not in release | Not in release | Not in release | Vulnerable | Vulnerable |
tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-8034
Low prioritySome fixes available 3 of 4
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
3 affected packages
tomcat7, tomcat8, tomcat8.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-1336
Medium priorityAn improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30,...
3 affected packages
tomcat7, tomcat8, tomcat8.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | — | Not in release | Not in release | Not affected | Fixed |
tomcat8 | — | Not in release | Not in release | Fixed | Fixed |
tomcat8.0 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2018-8014
Low prioritySome fixes available 5 of 7
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users...
3 affected packages
tomcat7, tomcat8, tomcat8.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-1304
Medium prioritySome fixes available 3 of 5
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security...
3 affected packages
tomcat7, tomcat8, tomcat8.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
tomcat8 | Not in release | Not in release | Not in release | Not affected | Fixed |
tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |