| Apache Tomcat | Number Of NVD | 231 | CRITICAL | 12 | HIGH | 72 | MEDIUM | 130 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 61 | Apache Tomcat 11.0 | 11.0.14 | Nov. 10, 2025 | Feb. 23, 2023 | 6 | 13 | 6 | 1 | |||
| 62 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 6 | 19 | 7 | 2 | |||
| 63 | Apache Tomcat 10.0 | 10.0.27 | Oct. 10, 2022 | Dec. 8, 2020 | 1 | 15 | 4 | 1 | |||
| 64 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 12 | 52 | 27 | 2 | |||
| 65 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 9 | 44 | 23 | 2 | |||
| 66 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 4 | 20 | 20 | 0 | ||
| 67 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 7 | 34 | 56 | 6 | ||
| 68 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 2 | 15 | 60 | 5 | ||
| 69 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 70 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 71 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 72 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 73 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 74 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 75 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 76 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 77 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 61 |
6.1 4.3 |
MEDIUM
Network |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by… |
CWE-79
Cross-site Scripting |
CVE-2019-0221 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
9.0.1 8.5.0 7.0.0 |
9.0.17 8.5.39 7.0.93 |
|
|
2024-11-21 13:16 2019-05-29 |
Show | GitHub Exploit DB Packet Storm |
| 62 |
5.9 4.3 |
MEDIUM
Network |
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201.… |
NVD-CWE-noinfo
|
CVE-2019-2684 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
7.0.0 8.5.0 9.0.1 |
7.0.97 8.5.47 9.0.28 |
|
|
2024-11-21 13:41 2019-04-24 |
Show | GitHub Exploit DB Packet Storm |
| 63 |
8.1 9.3 |
HIGH
Network |
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a b… |
CWE-78
OS Command |
CVE-2019-0232 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
7.0.0 8.5.0 9.0.1 |
7.0.93 8.5.39 9.0.17 |
|
|
2024-11-21 13:16 2019-04-16 |
Show | GitHub Exploit DB Packet Storm |
| 64 |
7.5 5.0 |
HIGH
Network |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without re… |
CWE-400
Uncontrolled Resource Consumption |
CVE-2019-0199 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
9.0.1 8.5.0 |
9.0.14 8.5.37 |
|
|
2024-11-21 13:16 2019-04-11 |
Show | GitHub Exploit DB Packet Storm |
| 65 |
4.3 4.3 |
MEDIUM
Network |
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/f… |
CWE-601
Open Redirect |
CVE-2018-11784 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
7.0.23 8.5.0 9.0.1 |
7.0.90 8.5.33 9.0.11 |
|
|
2024-11-21 12:44 2018-10-4 |
Show | GitHub Exploit DB Packet Storm |
| 66 |
7.5 5.0 |
HIGH
Network |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 t… |
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop') |
CVE-2018-1336 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone27 cpe:2.3:a:apache:tomcat:9.0.0:… |
8.0.0 8.5.0 9.0.1 7.0.28 |
8.0.51 8.5.30 9.0.7 7.0.86 |
|
|
2024-11-21 12:59 2018-08-2 |
Show | GitHub Exploit DB Packet Storm |
| 67 |
5.9 4.3 |
MEDIUM
Network |
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for… |
CWE-362
Race Condition |
CVE-2018-8037 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone27 cpe:2.3:a:apache:tomcat:9.0.0:… |
8.5.5 9.0.1 |
8.5.31 9.0.9 |
|
|
2024-11-21 13:13 2018-08-2 |
Show | GitHub Exploit DB Packet Storm |
| 68 |
7.5 5.0 |
HIGH
Network |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52… |
CWE-295
Improper Certificate Validation |
CVE-2018-8034 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
7.0.35 9.0.1 8.5.0 8.0.0 |
7.0.88 9.0.9 8.5.31 8.0.52 |
|
|
2024-11-21 13:13 2018-08-2 |
Show | GitHub Exploit DB Packet Storm |
| 69 |
9.8 7.5 |
CRITICAL
Network |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all ori… |
CWE-1188
Insecure Default Initialization of Resource |
CVE-2018-8014 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone1 cpe:2.3:a:apache:tomcat:8.0.0:rc1 cpe:2.3:a:apache:tomcat:*:* |
8.0.0 9.0.0 8.5.0 7.0.41 |
8.0.52 9.0.8 8.5.31 7.0.88 |
|
|
2024-11-21 13:13 2018-05-17 |
Show | GitHub Exploit DB Packet Storm |
| 70 |
5.9 4.3 |
MEDIUM
Network |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 … |
NVD-CWE-noinfo
|
CVE-2018-1304 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
8.5.0 8.0.0 9.0.0 7.0.0 |
8.5.27 8.0.49 9.0.4 7.0.84 |
|
|
2024-11-21 12:59 2018-03-1 |
Show | GitHub Exploit DB Packet Storm |