CVE search results

41 – 50 of 100 results

Detailed view

Sort by:

CVE-2020-1935

Low priority

Some fixes available 1 of 7

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat7	Not in release	Not in release	Not in release	Needs evaluation	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation	Fixed
tomcat9	Not affected	Not affected	Not affected	Needs evaluation	Not in release

CVE-2019-17569

Low priority

Not affected

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat7	—	—	—	Not affected	Not affected
tomcat8	—	—	—	Not affected	Not affected
tomcat9	—	—	—	Not affected	Not in release

CVE-2019-12418

Medium priority

Some fixes available 1 of 8

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat7	Not in release	Not in release	Not in release	Needs evaluation	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation	Fixed
tomcat9	Not affected	Not affected	Not affected	Needs evaluation	Not in release

CVE-2019-17563

Low priority

Some fixes available 1 of 8

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat7	Not in release	Not in release	Not in release	Needs evaluation	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation	Fixed
tomcat9	Not affected	Not affected	Not affected	Needs evaluation	Not in release

CVE-2019-10072

Medium priority

Some fixes available 3 of 5

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection...

2 affected packages

tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat8	—	—	—	Fixed	Not affected
tomcat9	—	—	—	Fixed	Not in release

CVE-2019-0221

Low priority

Some fixes available 7 of 10

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat7	Not in release	Not in release	Not in release	Fixed	Fixed
tomcat8	Not in release	Not in release	Not in release	Fixed	Fixed
tomcat9	Not affected	Not affected	Not affected	Fixed	Not in release

CVE-2019-0232

Low priority

Not affected

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat7	—	—	—	Not affected	Not affected
tomcat8	—	—	—	Not affected	Not affected
tomcat9	—	—	—	Not affected	Not in release

CVE-2019-0199

Medium priority

Fixed

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response...

2 affected packages

tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat8	—	—	—	Fixed	Not affected
tomcat9	—	—	—	Not affected	Not in release

CVE-2018-11784

Medium priority

Some fixes available 4 of 9

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL...

4 affected packages

tomcat6, tomcat7, tomcat8, tomcat8.0

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat6	Not in release	Not in release	Not in release	Not in release	Vulnerable
tomcat7	Not in release	Not in release	Not in release	Vulnerable	Vulnerable
tomcat8	Not in release	Not in release	Not in release	Fixed	Fixed
tomcat8.0	Not in release	Not in release	Not in release	Not in release	Not in release

CVE-2018-8037

Medium priority

Fixed

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user....

2 affected packages

tomcat8, tomcat8.0

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS	16.04 LTS
tomcat8	—	—	—	Fixed	Not affected
tomcat8.0	—	—	—	Not in release	Not in release

Export to JSON

Results by page:

Search CVE reports