CVE search results

21 – 30 of 115 results

Detailed view

Sort by:

CVE-2021-25122

Medium priority

Some fixes available 3 of 9

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another...

4 affected packages

tomcat6, tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat6	Not in release	Not in release	Not in release	Not in release
tomcat7	Not in release	Not in release	Not in release	Not affected
tomcat8	Not in release	Not in release	Not in release	Fixed
tomcat9	Not affected	Not affected	Fixed	Fixed

CVE-2021-24122

Negligible priority

Needs evaluation

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in...

4 affected packages

tomcat6, tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat6	Not in release	Not in release	Not in release	Not in release
tomcat7	Not in release	Not in release	Not in release	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation
tomcat9	Needs evaluation	Needs evaluation	Needs evaluation	Needs evaluation

CVE-2020-13935

Medium priority

Some fixes available 2 of 10

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop....

4 affected packages

tomcat6, tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat6	Not in release	Not in release	Not in release	Not in release
tomcat7	Not in release	Not in release	Not in release	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation
tomcat9	Not affected	Not affected	Fixed	Needs evaluation

CVE-2020-13934

Medium priority

Some fixes available 1 of 8

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an...

4 affected packages

tomcat6, tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat6	Not in release	Not in release	Not in release	Not in release
tomcat7	Not in release	Not in release	Not in release	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation
tomcat9	Not affected	Not affected	Fixed	Needs evaluation

CVE-2020-9484

Low priority

Some fixes available 7 of 8

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat7	Not in release	Not in release	Not in release	Fixed
tomcat8	Not in release	Not in release	Not in release	Fixed
tomcat9	Not affected	Not affected	Fixed	Fixed

CVE-2020-1938

Low priority

Ignored

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat7	Not in release	Not in release	Not in release	Ignored
tomcat8	Not in release	Not in release	Not in release	Ignored
tomcat9	Not affected	Not affected	Not affected	Ignored

CVE-2020-1935

Low priority

Some fixes available 1 of 7

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat7	Not in release	Not in release	Not in release	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation
tomcat9	Not affected	Not affected	Not affected	Needs evaluation

CVE-2019-17569

Low priority

Not affected

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat7	—	—	—	Not affected
tomcat8	—	—	—	Not affected
tomcat9	—	—	—	Not affected

CVE-2019-12418

Medium priority

Some fixes available 1 of 8

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat7	Not in release	Not in release	Not in release	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation
tomcat9	Not affected	Not affected	Not affected	Needs evaluation

CVE-2019-17563

Low priority

Some fixes available 1 of 8

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow...

3 affected packages

tomcat7, tomcat8, tomcat9

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
tomcat7	Not in release	Not in release	Not in release	Needs evaluation
tomcat8	Not in release	Not in release	Not in release	Needs evaluation
tomcat9	Not affected	Not affected	Not affected	Needs evaluation

Export to JSON

Results by page:

Search CVE reports