Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
121 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
122 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
123 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
124 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
125 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
126 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
127 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
128 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
129 Apache Tomcat 5.5 5.5.9 0 0 0 0
130 Apache Tomcat 5.0 5.0.9 0 0 0 0
131 Apache Tomcat 4.1 4.1.9 0 0 0 0
132 Apache Tomcat 4.0 4.0.6 0 0 0 0
133 Apache Tomcat 3.3 3.3.2 0 0 0 0
134 Apache Tomcat 3.2 3.2.4 0 0 0 0
135 Apache Tomcat 3.1 3.1.1 0 0 0 0
136 Apache Tomcat 3.0 3.0 0 0 0 0
137 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
121 -
2.1 		LOW Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. NOTE: One Tomcat distributor ha… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2013-0346 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:47
2014-02-15 		Show GitHub Exploit DB Packet Storm
122 -
7.5 		HIGH The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers … CWE-20
 Improper Input Validation  		CVE-2013-2185 cpe:2.3:a:apache:tomcat:*:* 7.0.39 2024-11-21 10:51
2014-01-20 		Show GitHub Exploit DB Packet Storm
123 -
6.8 		MEDIUM Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that… CWE-352
 Origin Validation Error 		CVE-2013-6357 cpe:2.3:a:apache:tomcat:5:*
cpe:2.3:a:apache:tomcat:5.5.9:*
cpe:2.3:a:apache:tomcat:5.5.8:*
cpe:2.3:a:apache:t… 		5.5.25 2024-11-21 10:59
2013-11-14 		Show GitHub Exploit DB Packet Storm
124 -
2.6 		LOW java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows … CWE-200
Information Exposure 		CVE-2013-2071 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:50
2013-06-1 		Show GitHub Exploit DB Packet Storm
125 -
6.8 		MEDIUM java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationship… CWE-287
Improper Authentication 		CVE-2013-2067 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:50
2013-06-1 		Show GitHub Exploit DB Packet Storm
126 -
5.0 		MEDIUM Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming dat… CWE-20
 Improper Input Validation  		CVE-2012-3544 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:41
2013-06-1 		Show GitHub Exploit DB Packet Storm
127 -
2.6 		LOW org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to… CWE-399
 Resource Management Errors 		CVE-2012-4534 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:43
2012-12-19 		Show GitHub Exploit DB Packet Storm
128 -
4.3 		MEDIUM org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mecha… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2012-4431 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:42
2012-12-19 		Show GitHub Exploit DB Packet Storm
129 -
4.3 		MEDIUM org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by le… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2012-3546 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:41
2012-12-19 		Show GitHub Exploit DB Packet Storm
130 -
5.0 		MEDIUM Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. NVD-CWE-noinfo
CVE-2012-5568 cpe:2.3:a:apache:tomcat:*:* 7.0.0 7.0.105 2024-11-21 10:44
2012-12-1 		Show GitHub Exploit DB Packet Storm