Software Detail

Software Informaton Top

Web Server

Software Detail

Apache Tomcat

Number Of NVD

231

CRITICAL

HIGH

MEDIUM

130

LOW

URL	http://tomcat.apache.org/
Explanation	ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems.
Tag	Apache License v2.0 オープンソース

Add Information URL

No	Type	Name	URL
1			http://tomcat.apache.org/security.html
2			http://tomcat.apache.org/whichversion.html

List Of Product [ Click to show release history and vulnerability information ]

No	Name	Latest Version	Release date	Initial release	Normal Support	Critical	High	Medium	Low
151	Apache Tomcat 11.0	11.0.14	Nov. 10, 2025	Feb. 23, 2023		6	13	6	1
152	Apache Tomcat 10.1	10.1.49	Nov. 10, 2025	Sept. 26, 2022		6	19	7	2
153	Apache Tomcat 10.0	10.0.27	Oct. 10, 2022	Dec. 8, 2020		1	15	4	1
154	Apache Tomcat 9.0	9.0.118	May 10, 2026	Jan. 22, 2018		12	52	27	2
155	Apache Tomcat 8.5	8.5.100	March 25, 2024	June 13, 2016		9	44	23	2
156	Apache Tomcat 8	8.0.53	June 29, 2018	June 25, 2014	June 30, 2018	4	20	20	0
157	Apache Tomcat 7	7.0.109	April 22, 2021	June 29, 2010	March 31, 2021	7	34	56	6
158	Apache Tomcat 6	6.0.53	April 2, 2017	Dec. 1, 2006	Dec. 31, 2016	2	15	60	5
159	Apache Tomcat 5.5	5.5.9				0	0	0	0
160	Apache Tomcat 5.0	5.0.9				0	0	0	0
161	Apache Tomcat 4.1	4.1.9				0	0	0	0
162	Apache Tomcat 4.0	4.0.6				0	0	0	0
163	Apache Tomcat 3.3	3.3.2				0	0	0	0
164	Apache Tomcat 3.2	3.2.4				0	0	0	0
165	Apache Tomcat 3.1	3.1.1				0	0	0	0
166	Apache Tomcat 3.0	3.0				0	0	0	0
167	Apache Tomcat 1.1	1.1.3				0	0	0	0

NVD Vulnerability Information

CRITICAL
HIGH
MEDIUM
LOW

No	CVSS3 CVSS2	Level Attach Vector	Title	CWE	CVE	cpe23Uri	or less	Update date Published date	Show Affected	Exploit PoC Search
151	- 5.8	MEDIUM	Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP r…	NVD-CWE-Other	CVE-2011-1419	cpe:2.3:a:apache:tomcat:7.0.9:* cpe:2.3:a:apache:tomcat:7.0.8:* cpe:2.3:a:apache:tomcat:7.0.7:* cpe:2.3:a:apac…		2024-11-21 10:26 2011-03-15	Show	GitHub Exploit DB Packet Storm

152	- 5.8	MEDIUM	Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.	NVD-CWE-Other	CVE-2011-1088	cpe:2.3:a:apache:tomcat:7.0.9:* cpe:2.3:a:apache:tomcat:7.0.8:* cpe:2.3:a:apache:tomcat:7.0.7:* cpe:2.3:a:apac…		2024-11-21 10:25 2011-03-15	Show	GitHub Exploit DB Packet Storm

153	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrar…	CWE-79 Cross-site Scripting	CVE-2011-0013	cpe:2.3:a:apache:tomcat:7.0.5:* cpe:2.3:a:apache:tomcat:7.0.4:* cpe:2.3:a:apache:tomcat:7.0.3:* cpe:2.3:a:apac…		2024-11-21 10:23 2011-02-19	Show	GitHub Exploit DB Packet Storm

154	- 5.0	MEDIUM	Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial …	CWE-399 Resource Management Errors	CVE-2011-0534	cpe:2.3:a:apache:tomcat:7.0.6:* cpe:2.3:a:apache:tomcat:7.0.5:* cpe:2.3:a:apache:tomcat:7.0.4:* cpe:2.3:a:apac…		2024-11-21 10:24 2011-02-11	Show	GitHub Exploit DB Packet Storm

155	- 1.2	LOW	Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write …	NVD-CWE-Other	CVE-2010-3718	cpe:2.3:a:apache:tomcat:7.0.3:* cpe:2.3:a:apache:tomcat:7.0.2:* cpe:2.3:a:apache:tomcat:7.0.1:* cpe:2.3:a:apac…		2024-11-21 10:19 2011-02-11	Show	GitHub Exploit DB Packet Storm

156	- 6.4	MEDIUM	The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.	CWE-16 Configuration	CVE-2010-4312	cpe:2.3:a:apache:tomcat:6.0:* cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache…		2024-11-21 10:20 2010-11-27	Show	GitHub Exploit DB Packet Storm

157	- 4.3	MEDIUM	Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or …	CWE-79 Cross-site Scripting	CVE-2010-4172	cpe:2.3:a:apache:tomcat:7.0.4:* cpe:2.3:a:apache:tomcat:7.0.3:* cpe:2.3:a:apache:tomcat:7.0.2:* cpe:2.3:a:apac…		2024-11-21 10:20 2010-11-27	Show	GitHub Exploit DB Packet Storm

158	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Lin…	CWE-79 Cross-site Scripting	CVE-2009-2696	cpe:2.3:a:apache:tomcat::	4.1.39	2024-11-21 10:05 2010-08-6	Show	GitHub Exploit DB Packet Storm

159	- 6.4	MEDIUM	Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (appl…	CWE-119 Incorrect Access of Indexable Resource ('Range Error')	CVE-2010-2227	cpe:2.3:a:apache:tomcat:7.0.0:beta cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:a…		2024-11-21 10:16 2010-07-14	Show	GitHub Exploit DB Packet Storm

160	- 2.6	LOW	Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or…	CWE-200 Information Exposure	CVE-2010-1157	cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache:tomcat:6.0.7:* cpe:2.3:a:apac…		2023-02-13 13:17 2010-04-23	Show	GitHub Exploit DB Packet Storm