Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 240 CRITICAL 16 HIGH 74 MEDIUM 133 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース

Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html

List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support
Extended
for a fee
Critical High Medium Low
51 Apache Tomcat 11.0 11.0.14 June 22, 2026 Feb. 23, 2023 10 15 9 1
52 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 10 21 10 2
53 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 16 54 30 2
54 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 12 46 26 2
55 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 6 21 22 0
56 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 10 35 59 6
57 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 4 16 63 5
58 Apache Tomcat 5.5 5.5.9 0 0 0 0
59 Apache Tomcat 5.0 5.0.9 0 0 0 0
60 Apache Tomcat 4.1 4.1.9 0 0 0 0
61 Apache Tomcat 4.0 4.0.6 0 0 0 0
62 Apache Tomcat 3.3 3.3.2 0 0 0 0
63 Apache Tomcat 3.2 3.2.4 0 0 0 0
64 Apache Tomcat 3.1 3.1.1 0 0 0 0
65 Apache Tomcat 3.0 3.0 0 0 0 0
66 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2
Level
Attach Vector
Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date
Show Affected Exploit
PoC
Search
51 5.3
5.0
MEDIUM
Network
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request… CWE-444
HTTP Request Smuggling
CVE-2021-33037 cpe:2.3:a:apache:tomcat:*:*

8.5.0
9.0.46
10.0.6
8.5.66
9.0.0
10.0.0


2024-11-21 15:08
2021-07-13
Show GitHub Exploit DB Packet Storm
52 6.5
5.8
MEDIUM
Network
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This… CWE-116
 Improper Encoding or Escaping of Output
CVE-2021-30640 cpe:2.3:a:apache:tomcat:*:* 10.0.0
9.0.0
7.0.0
8.5.0






10.0.6
9.0.46
7.0.109
8.5.66
2024-11-21 15:04
2021-07-13
Show GitHub Exploit DB Packet Storm
53 7.5
5.0
HIGH
Network
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the e… CWE-755
 Improper Handling of Exceptional Conditions
CVE-2021-30639 cpe:2.3:a:apache:tomcat:9.0.44:*
cpe:2.3:a:apache:tomcat:8.5.64:*
cpe:2.3:a:apache:tomcat:10.0.4:*
cpe:2.3:a:a…
2024-11-21 15:04
2021-07-13
Show GitHub Exploit DB Packet Storm
54 7.0
4.4
HIGH
Local
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikel… NVD-CWE-noinfo
CVE-2021-25329 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
9.0.0
8.5.0
7.0.0
9.0.41
8.5.61
7.0.107




2024-11-21 14:54
2021-03-1
Show GitHub Exploit DB Packet Storm
55 7.5
5.0
HIGH
Network
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body… CWE-200
Information Exposure
CVE-2021-25122 cpe:2.3:a:apache:tomcat:9.0.0:milestone5
cpe:2.3:a:apache:tomcat:9.0.0:milestone4
cpe:2.3:a:apache:tomcat:9.0.0:m…
9.0.0
8.5.0
9.0.41
8.5.61


2024-11-21 14:54
2021-03-1
Show GitHub Exploit DB Packet Storm
56 5.9
4.3
MEDIUM
Network
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to … CWE-706
 Use of Incorrectly-Resolved Name or Reference
CVE-2021-24122 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
8.5.0
9.0.1
7.0.0
8.5.59
9.0.39
7.0.106




2024-11-21 14:52
2021-01-15
Show GitHub Exploit DB Packet Storm
57 7.5
5.0
HIGH
Network
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream re… CWE-200
Information Exposure
CVE-2020-17527 cpe:2.3:a:apache:tomcat:9.0.39:*
cpe:2.3:a:apache:tomcat:9.0.38:*
cpe:2.3:a:apache:tomcat:9.0.37:*
cpe:2.3:a:a…
9.0.1
8.5.1
9.0.35
8.5.59


2024-11-21 14:08
2020-12-4
Show GitHub Exploit DB Packet Storm
58 4.3
4.0
MEDIUM
Network
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation o… NVD-CWE-noinfo
CVE-2020-13943 cpe:2.3:a:apache:tomcat:9.0.9:*
cpe:2.3:a:apache:tomcat:9.0.8:*
cpe:2.3:a:apache:tomcat:9.0.7:*
cpe:2.3:a:apac…
2024-11-21 14:02
2020-10-12
Show GitHub Exploit DB Packet Storm
59 7.5
5.0
HIGH
Network
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could t… CWE-835
 Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2020-13935 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
9.0.1
7.0.27
8.5.0
9.0.36
7.0.104
8.5.56




2024-11-21 14:02
2020-07-15
Show GitHub Exploit DB Packet Storm
60 7.5
5.0
HIGH
Network
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of … CWE-476
CWE-401
 NULL Pointer Dereference
 Missing Release of Memory after Effective Lifetime
CVE-2020-13934 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m…
9.0.1
8.5.1
9.0.36
8.5.56


2024-11-21 14:02
2020-07-15
Show GitHub Exploit DB Packet Storm