Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
141 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
142 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
143 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
144 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
145 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
146 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
147 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
148 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
149 Apache Tomcat 5.5 5.5.9 0 0 0 0
150 Apache Tomcat 5.0 5.0.9 0 0 0 0
151 Apache Tomcat 4.1 4.1.9 0 0 0 0
152 Apache Tomcat 4.0 4.0.6 0 0 0 0
153 Apache Tomcat 3.3 3.3.2 0 0 0 0
154 Apache Tomcat 3.2 3.2.4 0 0 0 0
155 Apache Tomcat 3.1 3.1.1 0 0 0 0
156 Apache Tomcat 3.0 3.0 0 0 0 0
157 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
141 -
5.0 		MEDIUM Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows rem… CWE-399
 Resource Management Errors 		CVE-2011-4858 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:33
2012-01-6 		Show GitHub Exploit DB Packet Storm
142 -
4.4 		MEDIUM org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privi… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2011-3376 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:30
2011-11-12 		Show GitHub Exploit DB Packet Storm
143 -
7.5 		HIGH Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP reque… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2011-3190 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:29
2011-09-1 		Show GitHub Exploit DB Packet Storm
144 -
5.0 		MEDIUM native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2011-2729 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:28
2011-08-16 		Show GitHub Exploit DB Packet Storm
145 -
4.6 		MEDIUM Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3… NVD-CWE-Other
CVE-2011-2481 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:28
2011-08-16 		Show GitHub Exploit DB Packet Storm
146 -
4.4 		MEDIUM Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allow… CWE-20
 Improper Input Validation  		CVE-2011-2526 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:28
2011-07-15 		Show GitHub Exploit DB Packet Storm
147 -
1.9 		LOW Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creatio… CWE-200
Information Exposure 		CVE-2011-2204 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:27
2011-06-30 		Show GitHub Exploit DB Packet Storm
148 -
4.3 		MEDIUM Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass … CWE-264
Permissions, Privileges, and Access Controls 		CVE-2011-1582 cpe:2.3:a:apache:tomcat:7.0.13:*
cpe:2.3:a:apache:tomcat:7.0.12:* 		2024-11-21 10:26
2011-05-21 		Show GitHub Exploit DB Packet Storm
149 -
5.0 		MEDIUM The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circu… CWE-20
 Improper Input Validation  		CVE-2011-1475 cpe:2.3:a:apache:tomcat:7.0.9:*
cpe:2.3:a:apache:tomcat:7.0.8:*
cpe:2.3:a:apache:tomcat:7.0.7:*
cpe:2.3:a:apac… 		2024-11-21 10:26
2011-04-9 		Show GitHub Exploit DB Packet Storm
150 -
5.8 		MEDIUM Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-d… NVD-CWE-Other
CVE-2011-1183 cpe:2.3:a:apache:tomcat:7.0.11:* 2024-11-21 10:25
2011-04-9 		Show GitHub Exploit DB Packet Storm