| Apache Tomcat | Number Of NVD | 231 | CRITICAL | 12 | HIGH | 72 | MEDIUM | 130 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 31 | Apache Tomcat 11.0 | 11.0.14 | Nov. 10, 2025 | Feb. 23, 2023 | 6 | 13 | 6 | 1 | |||
| 32 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 6 | 19 | 7 | 2 | |||
| 33 | Apache Tomcat 10.0 | 10.0.27 | Oct. 10, 2022 | Dec. 8, 2020 | 1 | 15 | 4 | 1 | |||
| 34 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 12 | 52 | 27 | 2 | |||
| 35 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 9 | 44 | 23 | 2 | |||
| 36 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 4 | 20 | 20 | 0 | ||
| 37 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 7 | 34 | 56 | 6 | ||
| 38 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 2 | 15 | 60 | 5 | ||
| 39 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 40 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 41 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 42 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 43 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 44 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 45 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 46 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 47 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 31 |
7.5 - |
HIGH
Network |
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used suc… | - | CVE-2023-28709 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone4 cpe:2.3:a:apache:tomcat:11.0.0:milestone3 cpe:2.3:a:apache:tomcat:11.0.… |
8.5.85 10.1.5 9.0.71 |
8.5.87 10.1.7 9.0.73 |
|
|
2024-11-21 16:55 2023-05-22 |
Show | GitHub Exploit DB Packet Storm |
| 32 |
4.3 - |
MEDIUM
Network |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to… | - | CVE-2023-28708 |
cpe:2.3:a:apache:tomcat:11.0.0:milestone2 cpe:2.3:a:apache:tomcat:11.0.0:milestone1 cpe:2.3:a:apache:tomcat:*:* |
8.5.0 |
|
10.1.0 9.0.0 |
10.1.6 9.0.72 8.5.86 |
2024-11-21 16:55 2023-03-22 |
Show | GitHub Exploit DB Packet Storm |
| 33 |
7.5 - |
HIGH
Network |
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… | - | CVE-2022-45143 |
cpe:2.3:a:apache:tomcat:8.5.83:* cpe:2.3:a:apache:tomcat:10.1.1:* cpe:2.3:a:apache:tomcat:10.1.0:milestone9 cp… |
9.0.40 | 9.0.69 |
2024-11-21 16:28 2023-01-4 |
Show | GitHub Exploit DB Packet Storm | ||
| 34 |
7.5 - |
HIGH
Network |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… | - | CVE-2022-42252 | cpe:2.3:a:apache:tomcat:*:* |
10.1.0 10.0.0 9.0.0 8.5.0 |
|
|
10.1.1 10.0.27 9.0.68 8.5.83 |
2024-11-21 16:24 2022-11-1 |
Show | GitHub Exploit DB Packet Storm |
| 35 |
3.7 - |
LOW
Network |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in … | - | CVE-2021-43980 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone9 cpe:2.3:a:apache:tomcat:10.1.0:milestone8 cpe:2.3:a:apache:tomcat:10.1.… |
8.5.0 9.0.0 10.0.0 |
8.5.77 9.0.60 10.0.18 |
|
|
2024-11-21 15:30 2022-09-28 |
Show | GitHub Exploit DB Packet Storm |
| 36 |
6.1 4.3 |
MEDIUM
Network |
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data with… |
CWE-79
Cross-site Scripting |
CVE-2022-34305 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone9 cpe:2.3:a:apache:tomcat:10.1.0:milestone8 cpe:2.3:a:apache:tomcat:10.1.… |
9.0.30 8.5.50 10.0.0 |
9.0.64 8.5.81 10.0.22 |
|
|
2024-11-21 16:09 2022-06-23 |
Show | GitHub Exploit DB Packet Storm |
| 37 |
8.6 7.5 |
HIGH
Network |
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible tha… |
CWE-404
Improper Resource Shutdown or Release |
CVE-2022-25762 | cpe:2.3:a:apache:tomcat:*:* |
9.0.0 8.5.0 |
|
|
9.0.21 8.5.76 |
2024-11-21 15:52 2022-05-13 |
Show | GitHub Exploit DB Packet Storm |
| 38 |
7.5 5.0 |
HIGH
Network |
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to r… | - | CVE-2022-29885 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone9 cpe:2.3:a:apache:tomcat:10.1.0:milestone8 cpe:2.3:a:apache:tomcat:10.1.… |
10.0.0 9.0.13 8.5.38 |
10.0.20 9.0.62 8.5.78 |
|
|
2024-11-21 15:59 2022-05-12 |
Show | GitHub Exploit DB Packet Storm |
| 39 |
7.0 3.7 |
HIGH
Local |
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed… | - | CVE-2022-23181 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone8 cpe:2.3:a:apache:tomcat:10.1.0:milestone7 cpe:2.3:a:apache:tomcat:10.1.… |
8.5.55 9.0.35 10.0.1 |
8.5.73 9.0.56 10.0.14 |
|
|
2024-11-21 15:48 2022-01-27 |
Show | GitHub Exploit DB Packet Storm |
| 40 |
7.5 5.0 |
HIGH
Network |
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics f… |
CWE-772
Missing Release of Resource after Effective Lifetime |
CVE-2021-42340 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone5 cpe:2.3:a:apache:tomcat:10.1.0:milestone4 cpe:2.3:a:apache:tomcat:10.1.… |
10.0.1 8.5.60 9.0.40 |
|
|
10.0.12 8.5.72 9.0.54 |
2024-11-21 15:27 2021-10-15 |
Show | GitHub Exploit DB Packet Storm |