Software Detail

Software Informaton Top

Web Server

Software Detail

Apache Tomcat

Number Of NVD

231

CRITICAL

HIGH

MEDIUM

130

LOW

URL	http://tomcat.apache.org/
Explanation	ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems.
Tag	Apache License v2.0 オープンソース

Add Information URL

No	Type	Name	URL
1			http://tomcat.apache.org/security.html
2			http://tomcat.apache.org/whichversion.html

List Of Product [ Click to show release history and vulnerability information ]

No	Name	Latest Version	Release date	Initial release	Normal Support	Critical	High	Medium	Low
171	Apache Tomcat 11.0	11.0.14	Nov. 10, 2025	Feb. 23, 2023		6	13	6	1
172	Apache Tomcat 10.1	10.1.49	Nov. 10, 2025	Sept. 26, 2022		6	19	7	2
173	Apache Tomcat 10.0	10.0.27	Oct. 10, 2022	Dec. 8, 2020		1	15	4	1
174	Apache Tomcat 9.0	9.0.118	May 10, 2026	Jan. 22, 2018		12	52	27	2
175	Apache Tomcat 8.5	8.5.100	March 25, 2024	June 13, 2016		9	44	23	2
176	Apache Tomcat 8	8.0.53	June 29, 2018	June 25, 2014	June 30, 2018	4	20	20	0
177	Apache Tomcat 7	7.0.109	April 22, 2021	June 29, 2010	March 31, 2021	7	34	56	6
178	Apache Tomcat 6	6.0.53	April 2, 2017	Dec. 1, 2006	Dec. 31, 2016	2	15	60	5
179	Apache Tomcat 5.5	5.5.9				0	0	0	0
180	Apache Tomcat 5.0	5.0.9				0	0	0	0
181	Apache Tomcat 4.1	4.1.9				0	0	0	0
182	Apache Tomcat 4.0	4.0.6				0	0	0	0
183	Apache Tomcat 3.3	3.3.2				0	0	0	0
184	Apache Tomcat 3.2	3.2.4				0	0	0	0
185	Apache Tomcat 3.1	3.1.1				0	0	0	0
186	Apache Tomcat 3.0	3.0				0	0	0	0
187	Apache Tomcat 1.1	1.1.3				0	0	0	0

NVD Vulnerability Information

CRITICAL
HIGH
MEDIUM
LOW

No	CVSS3 CVSS2	Level Attach Vector	Title	CWE	CVE	cpe23Uri	or higher	or less	Update date Published date	Show Affected	Exploit PoC Search
171	- 2.6	LOW	The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST co…	CWE-200 Information Exposure	CVE-2008-4308	cpe:2.3:a:apache:tomcat:5.5.20:* cpe:2.3:a:apache:tomcat:5.5.19:* cpe:2.3:a:apache:tomcat:5.5.18:* cpe:2.3:a:a…			2026-04-23 09:35 2009-02-27	Show	GitHub Exploit DB Packet Storm

172	- 4.3	MEDIUM	Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another req…	CWE-264 Permissions, Privileges, and Access Controls	CVE-2008-3271	cpe:2.3:a:apache:tomcat:5.5.0:* cpe:2.3:a:apache:tomcat:4.1.9:* cpe:2.3:a:apache:tomcat:4.1.8:* cpe:2.3:a:apac…			2026-04-23 09:35 2008-10-14	Show	GitHub Exploit DB Packet Storm

173	- 4.3	MEDIUM	Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbit…	CWE-22 Path Traversal	CVE-2008-2938	cpe:2.3:a:apache:tomcat::	4.0.0 5.0.0 6.0.0	4.1.37 5.5.26 6.0.16	2026-04-23 09:35 2008-08-13	Show	GitHub Exploit DB Packet Storm

174	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a cra…	CWE-79 Cross-site Scripting	CVE-2008-1232	cpe:2.3:a:apache:tomcat::	4.1.0 5.5.0 6.0.0	4.1.37 5.5.26 6.0.16	2026-04-23 09:35 2008-08-4	Show	GitHub Exploit DB Packet Storm

175	- 5.0	MEDIUM	Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which …	CWE-22 Path Traversal	CVE-2008-2370	cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache:tomcat:6.0.7:* cpe:2.3:a:apac…			2026-04-23 09:35 2008-08-4	Show	GitHub Exploit DB Packet Storm

176	- 4.3	MEDIUM	Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the …	CWE-79 Cross-site Scripting	CVE-2008-1947	cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache:tomcat:6.0.7:* cpe:2.3:a:apac…			2026-04-23 09:35 2008-06-5	Show	GitHub Exploit DB Packet Storm

177	- 5.0	MEDIUM	Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value,…	CWE-200 Information Exposure	CVE-2007-5333	cpe:2.3:a:apache:tomcat::	4.1.0 5.5.0 6.0.0	4.1.36 5.5.25 6.0.14	2026-04-23 09:35 2008-02-12	Show	GitHub Exploit DB Packet Storm

178	- 4.3	MEDIUM	Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigge…	NVD-CWE-Other	CVE-2007-6286	cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache:tomcat:6.0.7:* cpe:2.3:a:apac…			2026-04-23 09:35 2008-02-12	Show	GitHub Exploit DB Packet Storm

179	- 5.8	MEDIUM	Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitiv…	NVD-CWE-Other	CVE-2008-0002	cpe:2.3:a:apache:tomcat:6.0.9:* cpe:2.3:a:apache:tomcat:6.0.8:* cpe:2.3:a:apache:tomcat:6.0.7:* cpe:2.3:a:apac…			2026-04-23 09:35 2008-02-12	Show	GitHub Exploit DB Packet Storm

180	- 5.0	MEDIUM	The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause t…	CWE-16 Configuration	CVE-2008-0128	cpe:2.3:a:apache:tomcat::		5.5.20	2026-04-23 09:35 2008-01-23	Show	GitHub Exploit DB Packet Storm