| Apache Tomcat | Number Of NVD | 231 | CRITICAL | 12 | HIGH | 72 | MEDIUM | 130 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 71 | Apache Tomcat 11.0 | 11.0.14 | Nov. 10, 2025 | Feb. 23, 2023 | 6 | 13 | 6 | 1 | |||
| 72 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 6 | 19 | 7 | 2 | |||
| 73 | Apache Tomcat 10.0 | 10.0.27 | Oct. 10, 2022 | Dec. 8, 2020 | 1 | 15 | 4 | 1 | |||
| 74 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 12 | 52 | 27 | 2 | |||
| 75 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 9 | 44 | 23 | 2 | |||
| 76 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 4 | 20 | 20 | 0 | ||
| 77 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 7 | 34 | 56 | 6 | ||
| 78 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 2 | 15 | 60 | 5 | ||
| 79 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 80 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 81 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 82 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 83 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 84 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 85 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 86 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 87 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 71 |
6.5 4.0 |
MEDIUM
Network |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. … |
NVD-CWE-noinfo
|
CVE-2018-1305 |
cpe:2.3:a:apache:tomcat:9.0.4:* cpe:2.3:a:apache:tomcat:9.0.3:* cpe:2.3:a:apache:tomcat:9.0.2:* cpe:2.3:a:apac… |
7.0.0 8.0.0 8.5.0 |
7.0.84 8.0.49 8.5.27 |
|
|
2024-11-21 12:59 2018-02-24 |
Show | GitHub Exploit DB Packet Storm |
| 72 |
5.3 5.0 |
MEDIUM
Network |
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorit… |
CWE-358
Improperly Implemented Security Check for Standard |
CVE-2017-15706 |
cpe:2.3:a:apache:tomcat:9.0.1:* cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8… |
7.0.79 8.5.16 8.0.45 |
7.0.82 8.5.23 8.0.47 |
|
|
2024-11-21 12:15 2018-01-31 |
Show | GitHub Exploit DB Packet Storm |
| 73 |
8.1 6.8 |
HIGH
Network |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the D… |
CWE-434
Unrestricted Upload of File with Dangerous Type |
CVE-2017-12617 | cpe:2.3:a:apache:tomcat:*:* |
7.0.0 8.0 8.5.0 9.0.0 |
|
|
7.0.82 8.0.47 8.5.23 9.0.1 |
2026-04-22 02:03 2017-10-4 |
Show | GitHub Exploit DB Packet Storm |
| 74 |
8.1 6.8 |
HIGH
Network |
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to t… |
CWE-434
Unrestricted Upload of File with Dangerous Type |
CVE-2017-12615 | cpe:2.3:a:apache:tomcat:*:* | 7.0.0 | 7.0.79 |
2026-04-22 02:04 2017-09-19 |
Show | GitHub Exploit DB Packet Storm | ||
| 75 |
7.5 5.0 |
HIGH
Network |
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext usin… |
CWE-200
Information Exposure |
CVE-2017-12616 |
cpe:2.3:a:apache:tomcat:7.0.9:* cpe:2.3:a:apache:tomcat:7.0.8:* cpe:2.3:a:apache:tomcat:7.0.80:* cpe:2.3:a:apa… |
2024-11-21 12:09 2017-09-19 |
Show | GitHub Exploit DB Packet Storm | ||||
| 76 |
7.5 5.0 |
HIGH
Network |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypa… |
CWE-22
Path Traversal |
CVE-2017-7675 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:32 2017-08-11 |
Show | GitHub Exploit DB Packet Storm | ||||
| 77 |
4.3 4.3 |
MEDIUM
Network |
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Orig… |
CWE-345
Insufficient Verification of Data Authenticity |
CVE-2017-7674 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:32 2017-08-11 |
Show | GitHub Exploit DB Packet Storm | ||||
| 78 |
7.5 5.0 |
HIGH
Network |
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via… |
NVD-CWE-noinfo
|
CVE-2016-6796 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
6.0.0 7.0.0 8.0 8.5.0 |
6.0.45 7.0.70 8.0.36 8.5.4 |
|
|
2024-11-21 11:56 2017-08-11 |
Show | GitHub Exploit DB Packet Storm |
| 79 |
7.5 5.0 |
HIGH
Network |
The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of s… |
CWE-119
Incorrect Access of Indexable Resource ('Range Error') |
CVE-2016-6817 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 11:56 2017-08-11 |
Show | GitHub Exploit DB Packet Storm | ||||
| 80 |
7.5 5.0 |
HIGH
Network |
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted… |
CWE-388
7PK - Errors |
CVE-2016-8745 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 11:59 2017-08-11 |
Show | GitHub Exploit DB Packet Storm |