| Apache Tomcat | Number Of NVD | 231 | CRITICAL | 12 | HIGH | 72 | MEDIUM | 130 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 41 | Apache Tomcat 11.0 | 11.0.14 | Nov. 10, 2025 | Feb. 23, 2023 | 6 | 13 | 6 | 1 | |||
| 42 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 6 | 19 | 7 | 2 | |||
| 43 | Apache Tomcat 10.0 | 10.0.27 | Oct. 10, 2022 | Dec. 8, 2020 | 1 | 15 | 4 | 1 | |||
| 44 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 12 | 52 | 27 | 2 | |||
| 45 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 9 | 44 | 23 | 2 | |||
| 46 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 4 | 20 | 20 | 0 | ||
| 47 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 7 | 34 | 56 | 6 | ||
| 48 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 2 | 15 | 60 | 5 | ||
| 49 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 50 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 51 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 52 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 53 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 54 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 55 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 56 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 57 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 41 |
7.5 4.3 |
HIGH
Network |
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a spec… |
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop') |
CVE-2021-41079 | cpe:2.3:a:apache:tomcat:*:* |
10.0.0 9.0.0 8.5.0 |
10.0.2 |
|
9.0.44 8.5.64 |
2024-11-21 15:25 2021-09-17 |
Show | GitHub Exploit DB Packet Storm |
| 42 |
5.3 5.0 |
MEDIUM
Network |
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request… |
CWE-444
HTTP Request Smuggling |
CVE-2021-33037 | cpe:2.3:a:apache:tomcat:*:* |
8.5.0 |
9.0.46 10.0.6 8.5.66 |
9.0.0 10.0.0 |
|
2024-11-21 15:08 2021-07-13 |
Show | GitHub Exploit DB Packet Storm |
| 43 |
6.5 5.8 |
MEDIUM
Network |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This… |
CWE-116
Improper Encoding or Escaping of Output |
CVE-2021-30640 | cpe:2.3:a:apache:tomcat:*:* |
10.0.0 9.0.0 7.0.0 8.5.0 |
|
|
10.0.6 9.0.46 7.0.109 8.5.66 |
2024-11-21 15:04 2021-07-13 |
Show | GitHub Exploit DB Packet Storm |
| 44 |
7.5 5.0 |
HIGH
Network |
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the e… |
CWE-755
Improper Handling of Exceptional Conditions |
CVE-2021-30639 |
cpe:2.3:a:apache:tomcat:9.0.44:* cpe:2.3:a:apache:tomcat:8.5.64:* cpe:2.3:a:apache:tomcat:10.0.4:* cpe:2.3:a:a… |
2024-11-21 15:04 2021-07-13 |
Show | GitHub Exploit DB Packet Storm | ||||
| 45 |
7.0 4.4 |
HIGH
Local |
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikel… |
NVD-CWE-noinfo
|
CVE-2021-25329 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
9.0.0 8.5.0 7.0.0 |
9.0.41 8.5.61 7.0.107 |
|
|
2024-11-21 14:54 2021-03-1 |
Show | GitHub Exploit DB Packet Storm |
| 46 |
7.5 5.0 |
HIGH
Network |
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body… |
CWE-200
Information Exposure |
CVE-2021-25122 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone5 cpe:2.3:a:apache:tomcat:9.0.0:milestone4 cpe:2.3:a:apache:tomcat:9.0.0:m… |
9.0.0 8.5.0 |
9.0.41 8.5.61 |
|
|
2024-11-21 14:54 2021-03-1 |
Show | GitHub Exploit DB Packet Storm |
| 47 |
5.9 4.3 |
MEDIUM
Network |
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to … |
CWE-706
Use of Incorrectly-Resolved Name or Reference |
CVE-2021-24122 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
8.5.0 9.0.1 7.0.0 |
8.5.59 9.0.39 7.0.106 |
|
|
2024-11-21 14:52 2021-01-15 |
Show | GitHub Exploit DB Packet Storm |
| 48 |
7.5 5.0 |
HIGH
Network |
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream re… |
CWE-200
Information Exposure |
CVE-2020-17527 |
cpe:2.3:a:apache:tomcat:9.0.39:* cpe:2.3:a:apache:tomcat:9.0.38:* cpe:2.3:a:apache:tomcat:9.0.37:* cpe:2.3:a:a… |
9.0.1 8.5.1 |
9.0.35 8.5.59 |
|
|
2024-11-21 14:08 2020-12-4 |
Show | GitHub Exploit DB Packet Storm |
| 49 |
4.3 4.0 |
MEDIUM
Network |
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation o… |
NVD-CWE-noinfo
|
CVE-2020-13943 |
cpe:2.3:a:apache:tomcat:9.0.9:* cpe:2.3:a:apache:tomcat:9.0.8:* cpe:2.3:a:apache:tomcat:9.0.7:* cpe:2.3:a:apac… |
2024-11-21 14:02 2020-10-12 |
Show | GitHub Exploit DB Packet Storm | ||||
| 50 |
7.5 5.0 |
HIGH
Network |
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could t… |
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop') |
CVE-2020-13935 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
9.0.1 7.0.27 8.5.0 |
9.0.36 7.0.104 8.5.56 |
|
|
2024-11-21 14:02 2020-07-15 |
Show | GitHub Exploit DB Packet Storm |