Skip to main content

Tomcat

255 CVEs product

Monthly

CVE-2015-1778 Maven CRITICAL PATCH GHSA Act Now

The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Tomcat Authentication Bypass Opendaylight
NVD
CVSS 3.0
9.8
EPSS
3.0%
CVE-2017-6683 HIGH This Week

A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection Elastic Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
9.5%
CVE-2017-6682 HIGH This Week

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection Elastic Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2017-5664 Maven HIGH PATCH Act Now

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.8%.

Tomcat Java Apache Information Disclosure
NVD
CVSS 3.0
7.5
EPSS
10.8%
CVE-2017-7428 MEDIUM This Month

NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of connection parameters with Tomcat. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Imanager
NVD
CVSS 3.0
5.3
EPSS
0.3%
CVE-2017-5651 Maven CRITICAL PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
9.8
EPSS
6.1%
CVE-2017-5650 Maven HIGH PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.7%.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
7.5
EPSS
12.7%
CVE-2017-5648 Maven CRITICAL PATCH Act Now

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.8%.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
9.1
EPSS
21.8%
CVE-2017-5647 Maven HIGH PATCH This Week

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2016-6808 CRITICAL POC THREAT Emergency

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%.

Buffer Overflow Tomcat Apache Tomcat Jk Connector
NVD
CVSS 3.0
9.8
EPSS
29.5%
Threat
4.3
CVE-2016-8735 Maven CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Oracle Tomcat RCE
NVD
CVSS 3.1
9.8
EPSS
93.8%
Threat
7.8
CVE-2016-9775 HIGH This Week

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian Privilege Escalation Debian Linux +1
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2016-9774 HIGH This Week

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian Information Disclosure Debian Linux +1
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2016-6816 Maven HIGH POC PATCH This Week

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Tomcat Apache
NVD Exploit-DB
CVSS 3.0
7.1
EPSS
2.9%
CVE-2016-8747 Maven HIGH PATCH This Week

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Tomcat Java
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2017-6056 HIGH Act Now

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.9% and no vendor patch available.

Denial Of Service Apache Tomcat Debian Ubuntu +2
NVD
CVSS 3.0
7.5
EPSS
15.9%
CVE-2016-9879 Maven HIGH PATCH This Week

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Authentication Bypass IBM Java Apache +2
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2016-5526 HIGH PATCH This Week

Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Tomcat Apache Authentication Bypass Agile Product Lifecycle Management
NVD
CVSS 3.0
7.3
EPSS
0.3%
CVE-2016-6325 HIGH This Week

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Red Hat Privilege Escalation
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2016-5425 HIGH POC THREAT Act Now

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 11.6%.

Tomcat Red Hat Privilege Escalation Oracle
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
11.6%
CVE-2016-1240 HIGH POC THREAT Act Now

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Tomcat Information Disclosure Ubuntu Debian Java
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
22.1%
CVE-2016-5388 Maven HIGH PATCH Act Now

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 36.8%.

Apache Tomcat Authentication Bypass Enterprise Linux Desktop Enterprise Linux Hpc Node +8
NVD
CVSS 3.0
8.1
EPSS
36.8%
CVE-2016-3092 Maven HIGH PATCH Act Now

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.9%.

Tomcat Denial Of Service Apache Icewall Identity Manager Icewall Sso Agent Option +3
NVD
CVSS 3.0
7.5
EPSS
33.9%
CVE-2016-2961 MEDIUM This Month

The integration server in IBM Integration Bus 9 before 9.0.0.6 and 10 before 10.0.0.5 and WebSphere Message Broker 8 before 8.0.0.8 allows remote attackers to obtain sensitive Tomcat version. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Tomcat Information Disclosure Java Integration Bus +1
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2016-0763 Maven MEDIUM PATCH This Month

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Java Privilege Escalation Apache +2
NVD
CVSS 3.0
6.3
EPSS
0.3%
CVE-2016-0714 Maven HIGH PATCH Act Now

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.2%.

Tomcat RCE Privilege Escalation Apache Debian Linux +1
NVD
CVSS 3.0
8.8
EPSS
13.2%
CVE-2016-0706 Maven MEDIUM PATCH This Month

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Information Disclosure Apache Ubuntu Linux Debian Linux
NVD
CVSS 3.0
4.3
EPSS
1.5%
CVE-2015-5351 Maven HIGH PATCH This Week

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Tomcat CSRF Apache Debian Linux Ubuntu Linux
NVD
CVSS 3.0
8.8
EPSS
2.3%
CVE-2015-5346 Maven HIGH PATCH Act Now

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 36.2%.

Tomcat Information Disclosure Java Apache Ubuntu Linux +1
NVD
CVSS 3.0
8.1
EPSS
36.2%
CVE-2015-5345 Maven MEDIUM PATCH This Month

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 43.3%.

Path Traversal Tomcat Apache Debian Linux Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
43.3%
CVE-2015-5174 Maven MEDIUM PATCH This Month

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Tomcat Java Apache Debian Linux +1
NVD
CVSS 3.0
4.3
EPSS
3.7%
CVE-2015-3158 Maven MEDIUM PATCH This Month

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Privilege Escalation Java Picketlink
NVD GitHub
CVSS 2.0
4.0
EPSS
0.5%
CVE-2015-4269 MEDIUM This Month

The Tomcat throttling feature in Cisco Unified Communications Manager 10.5(1.99995.9) allows remote authenticated users to cause a denial of service (management outage) by sending many requests, aka. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Denial Of Service Unified Communications Manager
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2014-7810 Maven MEDIUM PATCH This Month

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Tomcat Authentication Bypass Debian Linux
NVD
CVSS 2.0
5.0
EPSS
9.5%
CVE-2014-0230 Maven HIGH PATCH This Week

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Apache Virtualization
NVD
CVSS 2.0
7.8
EPSS
3.1%
CVE-2014-8111 MEDIUM This Month

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Apache Tomcat Connectors
NVD
CVSS 2.0
5.0
EPSS
3.7%
CVE-2014-2130 MEDIUM This Month

Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Cisco Privilege Escalation Apache +1
NVD
CVSS 2.0
6.5
EPSS
1.2%
CVE-2014-0227 Maven MEDIUM PATCH This Month

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 78.2%.

Tomcat Denial Of Service Java Apache
NVD
CVSS 2.0
6.4
EPSS
78.2%
CVE-2013-4444 Maven MEDIUM PATCH This Month

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Tomcat Code Injection File Upload RCE Apache
NVD
CVSS 2.0
6.8
EPSS
9.5%
CVE-2014-0871 MEDIUM POC THREAT This Month

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to obtain potentially sensitive Tomcat stack-trace information via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 15.8%.

IBM Tomcat Information Disclosure Algo Credit Limits Algorithmics
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
15.8%
CVE-2014-0186 MEDIUM This Month

A certain tomcat7 package for Apache Tomcat 7 in Red Hat Enterprise Linux (RHEL) 7 allows remote attackers to cause a denial of service (CPU consumption) via a crafted request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Red Hat Denial Of Service Apache Enterprise Linux
NVD
CVSS 2.0
5.0
EPSS
0.7%
CVE-2014-0119 Maven MEDIUM PATCH This Month

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat XXE Privilege Escalation Apache
NVD
CVSS 2.0
4.3
EPSS
4.4%
CVE-2014-0099 Maven MEDIUM PATCH This Month

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 37.9%.

Tomcat Buffer Overflow Java Apache
NVD
CVSS 2.0
4.3
EPSS
37.9%
CVE-2014-0096 Maven MEDIUM PATCH This Month

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat XXE Java Privilege Escalation Apache
NVD
CVSS 2.0
4.3
EPSS
5.8%
CVE-2014-0095 Maven MEDIUM PATCH This Month

java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Java Apache
NVD
CVSS 2.0
5.0
EPSS
9.7%
CVE-2014-0075 Maven MEDIUM PATCH This Month

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 46.7%.

Tomcat Denial Of Service Java Apache
NVD
CVSS 2.0
5.0
EPSS
46.7%
CVE-2014-0050 Maven HIGH POC PATCH THREAT Act Now

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.7%.

Tomcat Denial Of Service Java Privilege Escalation Apache +2
NVD Exploit-DB VulDB
CVSS 2.0
7.5
EPSS
92.7%
Threat
5.8
CVE-2014-0033 Maven MEDIUM PATCH This Month

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 16.2%.

Tomcat Apache Information Disclosure Java
NVD
CVSS 2.0
4.3
EPSS
16.2%
CVE-2013-4590 Maven MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure XXE Debian Linux +1
NVD
CVSS 2.0
4.3
EPSS
0.9%
CVE-2013-4322 Maven MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 36.7%.

Tomcat Denial Of Service Apache
NVD
CVSS 2.0
4.3
EPSS
36.7%
CVE-2013-4286 Maven MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Epss exploitation probability 23.6%.

Tomcat Apache Information Disclosure
NVD
CVSS 2.0
5.8
EPSS
23.6%
CVE-2013-0346 LOW Monitor

Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Privilege Escalation Apache
NVD
CVSS 2.0
2.1
EPSS
0.6%
CVE-2013-2185 Maven HIGH PATCH This Week

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Red Hat Apache Information Disclosure Jboss Enterprise Application Platform +1
NVD
CVSS 2.0
7.5
EPSS
5.3%
CVE-2013-6357 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Apache Tomcat
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
1.3%
CVE-2013-5528 MEDIUM POC THREAT This Month

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 61.5%.

Tomcat Path Traversal Cisco Unified Communications Manager
NVD Exploit-DB
CVSS 2.0
4.0
EPSS
61.5%
Threat
4.1
CVE-2013-2051 LOW Monitor

The Tomcat 6 DIGEST authentication functionality as used in Red Hat Enterprise Linux 6 allows remote attackers to bypass intended access restrictions by performing a replay attack after a nonce. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Tomcat Enterprise Linux
NVD
CVSS 2.0
2.6
EPSS
0.3%
CVE-2013-1976 MEDIUM This Month

The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2 and 2.0.0, and Red Hat Enterprise Linux 5 and 6, allow. Rated medium severity (CVSS 6.9). No vendor patch available.

Tomcat Red Hat Information Disclosure Jboss Enterprise Web Server Enterprise Linux
NVD
CVSS 2.0
6.9
EPSS
0.0%
CVE-2013-2071 Maven LOW POC PATCH Monitor

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available.

Tomcat Apache Information Disclosure Java
NVD
CVSS 2.0
2.6
EPSS
8.4%
CVE-2013-2067 Maven MEDIUM PATCH This Month

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Epss exploitation probability 10.4%.

Tomcat Apache Java Authentication Bypass
NVD
CVSS 2.0
6.8
EPSS
10.4%
CVE-2012-3544 Maven MEDIUM PATCH This Month

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.8%.

Tomcat Denial Of Service Apache
NVD
CVSS 2.0
5.0
EPSS
44.8%
CVE-2013-1222 HIGH This Week

The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to launch. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Cisco Unified Customer Voice Portal
NVD
CVSS 2.0
7.8
EPSS
0.3%
CVE-2013-1221 CRITICAL Act Now

The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Cisco Unified Customer Voice Portal
NVD
CVSS 2.0
10.0
EPSS
5.0%
CVE-2013-3507 MEDIUM This Month

The NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to obtain sensitive information via a direct request for (1) a configuration file, (2) a database dump, or. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Groundwork Monitor
NVD
CVSS 2.0
4.0
EPSS
0.7%
CVE-2013-1088 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 before SP6 Patch 1 allows remote attackers to hijack the authentication of arbitrary users by leveraging improper request. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat Imanager
NVD
CVSS 2.0
6.8
EPSS
0.3%
CVE-2012-4534 LOW POC PATCH THREAT Monitor

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 22.8%.

Tomcat Denial Of Service Apache Java
NVD
CVSS 2.0
2.6
EPSS
22.8%
CVE-2012-4431 Maven MEDIUM PATCH This Month

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

CSRF Privilege Escalation Java Apache Tomcat
NVD
CVSS 2.0
4.3
EPSS
9.8%
CVE-2012-3546 Maven MEDIUM PATCH This Month

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat Privilege Escalation Apache Java
NVD
CVSS 2.0
4.3
EPSS
2.2%
CVE-2012-5568 MEDIUM POC THREAT This Month

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Tomcat Denial Of Service Apache Opensuse
NVD
CVSS 2.0
5.0
EPSS
13.8%
CVE-2012-5887 Maven MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat
NVD
CVSS 2.0
5.0
EPSS
12.1%
CVE-2012-5886 Maven MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Tomcat Apache Authentication Bypass
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2012-5885 Maven MEDIUM PATCH This Month

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Privilege Escalation Apache
NVD
CVSS 2.0
5.0
EPSS
2.3%
CVE-2012-2733 MEDIUM This Month

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.3% and no vendor patch available.

Tomcat Denial Of Service Apache Java
NVD
CVSS 2.0
5.0
EPSS
20.3%
CVE-2012-3908 MEDIUM This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the ISE Administrator user interface (aka the Apache Tomcat interface) on Cisco Identity Services Engine (ISE) 3300 series appliances. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat Cisco Identity Services Engine Software +1
NVD
CVSS 2.0
6.8
EPSS
0.1%
CVE-2012-3126 MEDIUM This Month

Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Products Suite 3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to. Rated medium severity (CVSS 6.2). No vendor patch available.

Tomcat Apache Oracle Information Disclosure Sun Products Suite
NVD
CVSS 2.0
6.2
EPSS
0.1%
CVE-2012-0022 Maven MEDIUM PATCH This Month

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 23.4%.

Tomcat Denial Of Service Apache
NVD
CVSS 2.0
5.0
EPSS
23.4%
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Tomcat Authentication Bypass Opendaylight
NVD
EPSS 9% CVSS 8.8
HIGH This Week

A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection +2
NVD
EPSS 11% CVSS 7.5
HIGH PATCH Act Now

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.8%.

Tomcat Java Apache +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of connection parameters with Tomcat. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Imanager
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
EPSS 13% CVSS 7.5
HIGH PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.7%.

Tomcat Apache Information Disclosure
NVD
EPSS 22% CVSS 9.1
CRITICAL PATCH Act Now

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.8%.

Tomcat Apache Information Disclosure
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure
NVD
EPSS 29% 4.3 CVSS 9.8
CRITICAL POC THREAT Emergency

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%.

Buffer Overflow Tomcat Apache +1
NVD
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Apache Oracle Tomcat +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian +3
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Ubuntu Debian +3
NVD
EPSS 3% CVSS 7.1
HIGH POC PATCH This Week

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Tomcat Apache
NVD Exploit-DB
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Tomcat +1
NVD
EPSS 16% CVSS 7.5
HIGH Act Now

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 15.9% and no vendor patch available.

Denial Of Service Apache Tomcat +4
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Authentication Bypass IBM +4
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Tomcat Apache +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Red Hat Privilege Escalation
NVD
EPSS 12% CVSS 7.8
HIGH POC THREAT Act Now

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 11.6%.

Tomcat Red Hat Privilege Escalation +1
NVD Exploit-DB
EPSS 22% CVSS 7.8
HIGH POC THREAT Act Now

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Tomcat Information Disclosure Ubuntu +2
NVD Exploit-DB
EPSS 37% CVSS 8.1
HIGH PATCH Act Now

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 36.8%.

Apache Tomcat Authentication Bypass +10
NVD
EPSS 34% CVSS 7.5
HIGH PATCH Act Now

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.9%.

Tomcat Denial Of Service Apache +5
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The integration server in IBM Integration Bus 9 before 9.0.0.6 and 10 before 10.0.0.5 and WebSphere Message Broker 8 before 8.0.0.8 allows remote attackers to obtain sensitive Tomcat version. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Tomcat Information Disclosure +3
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Java +4
NVD
EPSS 13% CVSS 8.8
HIGH PATCH Act Now

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.2%.

Tomcat RCE Privilege Escalation +3
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Information Disclosure Apache +2
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Tomcat CSRF Apache +2
NVD
EPSS 36% CVSS 8.1
HIGH PATCH Act Now

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 36.2%.

Tomcat Information Disclosure Java +3
NVD
EPSS 43% CVSS 5.3
MEDIUM PATCH This Month

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 43.3%.

Path Traversal Tomcat Apache +2
NVD
EPSS 4% CVSS 4.3
MEDIUM PATCH This Month

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Tomcat Java +3
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Privilege Escalation Java +1
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM This Month

The Tomcat throttling feature in Cisco Unified Communications Manager 10.5(1.99995.9) allows remote authenticated users to cause a denial of service (management outage) by sending many requests, aka. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Denial Of Service +1
NVD
EPSS 9% CVSS 5.0
MEDIUM PATCH This Month

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Apache Tomcat Authentication Bypass +1
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Apache +1
NVD
EPSS 4% CVSS 5.0
MEDIUM This Month

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Apache +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Cisco +3
NVD
EPSS 78% CVSS 6.4
MEDIUM PATCH This Month

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 78.2%.

Tomcat Denial Of Service Java +1
NVD
EPSS 9% CVSS 6.8
MEDIUM PATCH This Month

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Tomcat Code Injection File Upload +2
NVD
EPSS 16% CVSS 4.3
MEDIUM POC THREAT This Month

RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows remote attackers to obtain potentially sensitive Tomcat stack-trace information via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 15.8%.

IBM Tomcat Information Disclosure +2
NVD Exploit-DB
EPSS 1% CVSS 5.0
MEDIUM This Month

A certain tomcat7 package for Apache Tomcat 7 in Red Hat Enterprise Linux (RHEL) 7 allows remote attackers to cause a denial of service (CPU consumption) via a crafted request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Red Hat Denial Of Service +2
NVD
EPSS 4% CVSS 4.3
MEDIUM PATCH This Month

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat XXE Privilege Escalation +1
NVD
EPSS 38% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 37.9%.

Tomcat Buffer Overflow Java +1
NVD
EPSS 6% CVSS 4.3
MEDIUM PATCH This Month

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat XXE Java +2
NVD
EPSS 10% CVSS 5.0
MEDIUM PATCH This Month

java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Denial Of Service Java +1
NVD
EPSS 47% CVSS 5.0
MEDIUM PATCH This Month

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 46.7%.

Tomcat Denial Of Service Java +1
NVD
EPSS 93% 5.8 CVSS 7.5
HIGH POC PATCH THREAT Act Now

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.7%.

Tomcat Denial Of Service Java +4
NVD Exploit-DB VulDB
EPSS 16% CVSS 4.3
MEDIUM PATCH This Month

org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 16.2%.

Tomcat Apache Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Tomcat Apache Information Disclosure +3
NVD
EPSS 37% CVSS 4.3
MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 36.7%.

Tomcat Denial Of Service Apache
NVD
EPSS 24% CVSS 5.8
MEDIUM PATCH This Month

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Epss exploitation probability 23.6%.

Tomcat Apache Information Disclosure
NVD
EPSS 1% CVSS 2.1
LOW Monitor

Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Tomcat Privilege Escalation Apache
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Red Hat Apache +3
NVD
EPSS 1% CVSS 6.8
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Apache Tomcat
NVD Exploit-DB
EPSS 62% 4.1 CVSS 4.0
MEDIUM POC THREAT This Month

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 61.5%.

Tomcat Path Traversal Cisco +1
NVD Exploit-DB
EPSS 0% CVSS 2.6
LOW Monitor

The Tomcat 6 DIGEST authentication functionality as used in Red Hat Enterprise Linux 6 allows remote attackers to bypass intended access restrictions by performing a replay attack after a nonce. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Tomcat +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2 and 2.0.0, and Red Hat Enterprise Linux 5 and 6, allow. Rated medium severity (CVSS 6.9). No vendor patch available.

Tomcat Red Hat Information Disclosure +2
NVD
EPSS 8% CVSS 2.6
LOW POC PATCH Monitor

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 10% CVSS 6.8
MEDIUM PATCH This Month

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Epss exploitation probability 10.4%.

Tomcat Apache Java +1
NVD
EPSS 45% CVSS 5.0
MEDIUM PATCH This Month

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.8%.

Tomcat Denial Of Service Apache
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to launch. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Cisco +1
NVD
EPSS 5% CVSS 10.0
CRITICAL Act Now

The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Cisco +1
NVD
EPSS 1% CVSS 4.0
MEDIUM This Month

The NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to obtain sensitive information via a direct request for (1) a configuration file, (2) a database dump, or. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Groundwork Monitor
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 before SP6 Patch 1 allows remote attackers to hijack the authentication of arbitrary users by leveraging improper request. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat +1
NVD
EPSS 23% CVSS 2.6
LOW POC PATCH THREAT Monitor

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 22.8%.

Tomcat Denial Of Service Apache +1
NVD
EPSS 10% CVSS 4.3
MEDIUM PATCH This Month

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

CSRF Privilege Escalation Java +2
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Tomcat Privilege Escalation Apache +1
NVD
EPSS 14% CVSS 5.0
MEDIUM POC THREAT This Month

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Tomcat Denial Of Service Apache +1
NVD
EPSS 12% CVSS 5.0
MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Tomcat Apache Authentication Bypass
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Privilege Escalation Apache
NVD
EPSS 20% CVSS 5.0
MEDIUM This Month

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.3% and no vendor patch available.

Tomcat Denial Of Service Apache +1
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the ISE Administrator user interface (aka the Apache Tomcat interface) on Cisco Identity Services Engine (ISE) 3300 series appliances. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Tomcat +3
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Products Suite 3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to. Rated medium severity (CVSS 6.2). No vendor patch available.

Tomcat Apache Oracle +2
NVD
EPSS 23% CVSS 5.0
MEDIUM PATCH This Month

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 23.4%.

Tomcat Denial Of Service Apache
NVD
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy