| Apache Tomcat | Number Of NVD | 231 | CRITICAL | 12 | HIGH | 72 | MEDIUM | 130 | LOW | 15 |
| URL | http://tomcat.apache.org/ | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | ApacheTomcat is a web container (servlet container, servlet engine) for running Java Servlets and Java Server Pages (JSP). It was previously developed by the Jakarta project. It can also be used as a web server for static content delivery. It has been adopted by many companies that require large scale and stable systems. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | http://tomcat.apache.org/security.html | ||
| 2 | http://tomcat.apache.org/whichversion.html |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 81 | Apache Tomcat 11.0 | 11.0.14 | Nov. 10, 2025 | Feb. 23, 2023 | 6 | 13 | 6 | 1 | |||
| 82 | Apache Tomcat 10.1 | 10.1.49 | Nov. 10, 2025 | Sept. 26, 2022 | 6 | 19 | 7 | 2 | |||
| 83 | Apache Tomcat 10.0 | 10.0.27 | Oct. 10, 2022 | Dec. 8, 2020 | 1 | 15 | 4 | 1 | |||
| 84 | Apache Tomcat 9.0 | 9.0.118 | May 10, 2026 | Jan. 22, 2018 | 12 | 52 | 27 | 2 | |||
| 85 | Apache Tomcat 8.5 | 8.5.100 | March 25, 2024 | June 13, 2016 | 9 | 44 | 23 | 2 | |||
| 86 | Apache Tomcat 8 | 8.0.53 | June 29, 2018 | June 25, 2014 | June 30, 2018 | 4 | 20 | 20 | 0 | ||
| 87 | Apache Tomcat 7 | 7.0.109 | April 22, 2021 | June 29, 2010 | March 31, 2021 | 7 | 34 | 56 | 6 | ||
| 88 | Apache Tomcat 6 | 6.0.53 | April 2, 2017 | Dec. 1, 2006 | Dec. 31, 2016 | 2 | 15 | 60 | 5 | ||
| 89 | Apache Tomcat 5.5 | 5.5.9 | 0 | 0 | 0 | 0 | |||||
| 90 | Apache Tomcat 5.0 | 5.0.9 | 0 | 0 | 0 | 0 | |||||
| 91 | Apache Tomcat 4.1 | 4.1.9 | 0 | 0 | 0 | 0 | |||||
| 92 | Apache Tomcat 4.0 | 4.0.6 | 0 | 0 | 0 | 0 | |||||
| 93 | Apache Tomcat 3.3 | 3.3.2 | 0 | 0 | 0 | 0 | |||||
| 94 | Apache Tomcat 3.2 | 3.2.4 | 0 | 0 | 0 | 0 | |||||
| 95 | Apache Tomcat 3.1 | 3.1.1 | 0 | 0 | 0 | 0 | |||||
| 96 | Apache Tomcat 3.0 | 3.0 | 0 | 0 | 0 | 0 | |||||
| 97 | Apache Tomcat 1.1 | 1.1.3 | 0 | 0 | 0 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 81 |
7.5 5.0 |
HIGH
Network |
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global J… |
CWE-863
Incorrect Authorization |
CVE-2016-6797 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
6.0.0 7.0.0 8.0 8.5.0 |
6.0.45 7.0.70 8.0.36 8.5.4 |
|
|
2024-11-21 11:56 2017-08-11 |
Show | GitHub Exploit DB Packet Storm |
| 82 |
5.3 5.0 |
MEDIUM
Network |
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.R… |
NVD-CWE-noinfo
|
CVE-2016-6794 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
6.0.0 7.0.0 8.0 8.5.0 |
6.0.45 7.0.70 8.0.36 8.5.4 |
|
|
2024-11-21 11:56 2017-08-11 |
Show | GitHub Exploit DB Packet Storm |
| 83 |
9.1 6.4 |
CRITICAL
Network |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomca… |
NVD-CWE-noinfo
|
CVE-2016-5018 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
6.0.0 7.0.0 8.0 8.5.0 |
6.0.45 7.0.70 8.0.36 8.5.4 |
|
|
2024-11-21 11:53 2017-08-11 |
Show | GitHub Exploit DB Packet Storm |
| 84 |
5.9 4.3 |
MEDIUM
Network |
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplie… |
CWE-203
Information Exposure Through Discrepancy |
CVE-2016-0762 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
6.0.0 7.0.0 8.0 8.5.0 |
6.0.45 7.0.70 8.0.36 8.5.4 |
|
|
2024-11-21 11:42 2017-08-11 |
Show | GitHub Exploit DB Packet Storm |
| 85 |
7.5 5.0 |
HIGH
Network |
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwa… |
CWE-755
Improper Handling of Exceptional Conditions |
CVE-2017-5664 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:28 2017-06-6 |
Show | GitHub Exploit DB Packet Storm | ||||
| 86 |
9.8 7.5 |
CRITICAL
Network |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, … |
NVD-CWE-noinfo
|
CVE-2017-5651 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:28 2017-04-18 |
Show | GitHub Exploit DB Packet Storm | ||||
| 87 |
7.5 5.0 |
HIGH
Network |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting f… |
CWE-404
Improper Resource Shutdown or Release |
CVE-2017-5650 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:28 2017-04-18 |
Show | GitHub Exploit DB Packet Storm | ||||
| 88 |
9.1 6.4 |
CRITICAL
Network |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use th… |
CWE-668
Exposure of Resource to Wrong Sphere |
CVE-2017-5648 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:28 2017-04-18 |
Show | GitHub Exploit DB Packet Storm | ||||
| 89 |
7.5 5.0 |
HIGH
Network |
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in… |
CWE-200
Information Exposure |
CVE-2017-5647 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
2024-11-21 12:28 2017-04-18 |
Show | GitHub Exploit DB Packet Storm | ||||
| 90 |
9.8 7.5 |
CRITICAL
Network |
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an att… |
NVD-CWE-noinfo
|
CVE-2016-8735 |
cpe:2.3:a:apache:tomcat:9.0.0:milestone9 cpe:2.3:a:apache:tomcat:9.0.0:milestone8 cpe:2.3:a:apache:tomcat:9.0.0:m… |
7.0.0 8.0 8.5.0 |
|
|
6.0.48 7.0.73 8.0.39 8.5.7 |
2026-04-22 02:03 2017-04-7 |
Show | GitHub Exploit DB Packet Storm |