Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • Apache License v2.0
  • オープンソース
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
51 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
52 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
53 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
54 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
55 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
56 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
57 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
58 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
59 Apache Tomcat 5.5 5.5.9 0 0 0 0
60 Apache Tomcat 5.0 5.0.9 0 0 0 0
61 Apache Tomcat 4.1 4.1.9 0 0 0 0
62 Apache Tomcat 4.0 4.0.6 0 0 0 0
63 Apache Tomcat 3.3 3.3.2 0 0 0 0
64 Apache Tomcat 3.2 3.2.4 0 0 0 0
65 Apache Tomcat 3.1 3.1.1 0 0 0 0
66 Apache Tomcat 3.0 3.0 0 0 0 0
67 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
51 7.5
5.0 		HIGH
Network 		An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of … CWE-476
CWE-401
 NULL Pointer Dereference
 Missing Release of Memory after Effective Lifetime 		CVE-2020-13934 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		9.0.1
8.5.1 		9.0.36
8.5.56

2024-11-21 14:02
2020-07-15 		Show GitHub Exploit DB Packet Storm
52 7.8
7.2 		HIGH
Local 		A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux En… - CVE-2020-8022 cpe:2.3:a:apache:tomcat:*:*



































8.0.53-29.32.1
8.0.53-29.32.1
8.0.53-29.32.1
8.0.53-29.32.1
8.0.53-29.32.1
8.0.53-29.32.1
8.0.53-29.3… 		2024-11-21 14:38
2020-06-29 		Show GitHub Exploit DB Packet Storm
53 7.5
5.0 		HIGH
Network 		A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient … NVD-CWE-noinfo
CVE-2020-11996 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		9.0.0
8.5.0 		9.0.35
8.5.55

2024-11-21 13:59
2020-06-27 		Show GitHub Exploit DB Packet Storm
54 7.0
4.4 		HIGH
Local 		When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; … CWE-502
 Deserialization of Untrusted Data 		CVE-2020-9484 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		7.0.0
8.5.0
9.0.1



7.0.108
8.5.63
9.0.43 		2024-11-21 14:40
2020-05-21 		Show GitHub Exploit DB Packet Storm
55 9.8
7.5 		CRITICAL
Network 		When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar H… NVD-CWE-Other
CVE-2020-1938 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0 		7.0.99
8.5.50
9.0.30



2024-11-21 14:11
2020-02-25 		Show GitHub Exploit DB Packet Storm
56 4.8
5.8 		MEDIUM
Network 		In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as va… CWE-444
HTTP Request Smuggling 		CVE-2020-1935 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		7.0.0
8.5.0
9.0.0 		7.0.99
8.5.50
9.0.30



2024-11-21 14:11
2020-02-25 		Show GitHub Exploit DB Packet Storm
57 4.8
5.8 		MEDIUM
Network 		The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were … CWE-444
HTTP Request Smuggling 		CVE-2019-17569 cpe:2.3:a:apache:tomcat:*:* 8.5.48
7.0.98
9.0.28 		8.5.50
7.0.99
9.0.30



2024-11-21 13:32
2020-02-25 		Show GitHub Exploit DB Packet Storm
58 7.0
4.4 		HIGH
Local 		When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration f… NVD-CWE-noinfo
CVE-2019-12418 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0 		7.0.97
8.5.47
9.0.28



2024-11-21 13:22
2019-12-24 		Show GitHub Exploit DB Packet Storm
59 7.5
5.1 		HIGH
Network 		When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The wind… CWE-384
 Session Fixation 		CVE-2019-17563 cpe:2.3:a:apache:tomcat:*:* 7.0.0
8.5.0
9.0.0 		7.0.98
8.5.49
9.0.29



2024-11-21 13:32
2019-12-24 		Show GitHub Exploit DB Packet Storm
60 7.5
5.0 		HIGH
Network 		The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDA… CWE-667
 Improper Locking 		CVE-2019-10072 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		8.5.0
9.0.1 		8.5.40
9.0.19

2024-11-21 13:18
2019-06-22 		Show GitHub Exploit DB Packet Storm