Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Apache Tomcat Number Of NVD 231 CRITICAL 12 HIGH 72 MEDIUM 130 LOW 15
URL http://tomcat.apache.org/
Explanation ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP).
It was previously developed by the Jakarta project.
It can also be used as a web server for static content delivery.
It has been adopted by many companies that require large scale and stable systems.
Tag
  • オープンソース
  • Apache License v2.0
Add Information URL
No Type Name URL
1 http://tomcat.apache.org/security.html
2 http://tomcat.apache.org/whichversion.html
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
91 Apache Tomcat 11.0 11.0.14 Nov. 10, 2025 Feb. 23, 2023 6 13 6 1
92 Apache Tomcat 10.1 10.1.49 Nov. 10, 2025 Sept. 26, 2022 6 19 7 2
93 Apache Tomcat 10.0 10.0.27 Oct. 10, 2022 Dec. 8, 2020 1 15 4 1
94 Apache Tomcat 9.0 9.0.118 May 10, 2026 Jan. 22, 2018 12 52 27 2
95 Apache Tomcat 8.5 8.5.100 March 25, 2024 June 13, 2016 9 44 23 2
96 Apache Tomcat 8 8.0.53 June 29, 2018 June 25, 2014 June 30, 2018 4 20 20 0
97 Apache Tomcat 7 7.0.109 April 22, 2021 June 29, 2010 March 31, 2021 7 34 56 6
98 Apache Tomcat 6 6.0.53 April 2, 2017 Dec. 1, 2006 Dec. 31, 2016 2 15 60 5
99 Apache Tomcat 5.5 5.5.9 0 0 0 0
100 Apache Tomcat 5.0 5.0.9 0 0 0 0
101 Apache Tomcat 4.1 4.1.9 0 0 0 0
102 Apache Tomcat 4.0 4.0.6 0 0 0 0
103 Apache Tomcat 3.3 3.3.2 0 0 0 0
104 Apache Tomcat 3.2 3.2.4 0 0 0 0
105 Apache Tomcat 3.1 3.1.1 0 0 0 0
106 Apache Tomcat 3.0 3.0 0 0 0 0
107 Apache Tomcat 1.1 1.1.3 0 0 0 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
91 7.8
7.2 		HIGH
Local 		The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 L… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2016-9775 cpe:2.3:a:apache:tomcat:8.0:*
cpe:2.3:a:apache:tomcat:7.0:*
cpe:2.3:a:apache:tomcat:6.0:* 		2024-11-21 12:01
2017-03-24 		Show GitHub Exploit DB Packet Storm
92 7.8
7.2 		HIGH
Local 		The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7… CWE-59
Link Following 		CVE-2016-9774 cpe:2.3:a:apache:tomcat:8.0:*
cpe:2.3:a:apache:tomcat:7.0:*
cpe:2.3:a:apache:tomcat:6.0:* 		2024-11-21 12:01
2017-03-24 		Show GitHub Exploit DB Packet Storm
93 7.1
6.8 		HIGH
Network 		The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could b… CWE-20
 Improper Input Validation  		CVE-2016-6816 cpe:2.3:a:apache:tomcat:9.0.0:milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone8
cpe:2.3:a:apache:tomcat:9.0.0:m… 		2024-11-21 11:56
2017-03-21 		Show GitHub Exploit DB Packet Storm
94 7.5
5.0 		HIGH
Network 		An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data … CWE-200
Information Exposure 		CVE-2016-8747 cpe:2.3:a:apache:tomcat:9.0.0:milestone15
cpe:2.3:a:apache:tomcat:9.0.0:milestone13
cpe:2.3:a:apache:tomcat:9.0.0… 		2024-11-21 11:59
2017-03-14 		Show GitHub Exploit DB Packet Storm
95 7.8
7.2 		HIGH
Local 		The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which all… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2016-6325 cpe:2.3:a:apache:tomcat:-:* 2024-11-21 11:55
2016-10-13 		Show GitHub Exploit DB Packet Storm
96 7.8
7.2 		HIGH
Local 		The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows l… CWE-276
Incorrect Default Permissions  		CVE-2016-5425 cpe:2.3:a:apache:tomcat:-:* 2024-11-21 11:54
2016-10-13 		Show GitHub Exploit DB Packet Storm
97 7.8
7.2 		HIGH
Local 		The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 … CWE-20
 Improper Input Validation  		CVE-2016-1240 cpe:2.3:a:apache:tomcat:8.0:*
cpe:2.3:a:apache:tomcat:8.0:*
cpe:2.3:a:apache:tomcat:7.0:*
cpe:2.3:a:apache:tom… 		2024-11-21 11:46
2016-10-4 		Show GitHub Exploit DB Packet Storm
98 8.1
5.1 		HIGH
Network 		Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted cli… CWE-284
Improper Access Control 		CVE-2016-5388 cpe:2.3:a:apache:tomcat:*:* 7.0
8.0
6.0 		7.0.70
8.5.4
6.0.45



2024-11-21 11:54
2016-07-19 		Show GitHub Exploit DB Packet Storm
99 7.5
7.8 		HIGH
Network 		The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, all… CWE-20
 Improper Input Validation  		CVE-2016-3092 cpe:2.3:a:apache:tomcat:9.0.0:milestone6
cpe:2.3:a:apache:tomcat:9.0.0:milestone4
cpe:2.3:a:apache:tomcat:9.0.0:m… 		2024-11-21 11:49
2016-07-5 		Show GitHub Exploit DB Packet Storm
100 8.8
6.5 		HIGH
Network 		The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticat… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2016-0714 cpe:2.3:a:apache:tomcat:9.0.0:milestone1
cpe:2.3:a:apache:tomcat:8.0.3:*
cpe:2.3:a:apache:tomcat:8.0.30:*
cpe:… 		2024-11-21 11:42
2016-02-25 		Show GitHub Exploit DB Packet Storm