| Max CVSS | 7.5 | Min CVSS | 1.9 | Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published | |
| CVE-2011-2729 | 5.0 |
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows re
|
13-02-2023 - 04:31 | 15-08-2011 - 21:55 | |
| CVE-2010-1157 | 2.6 |
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the re
|
13-02-2023 - 04:17 | 23-04-2010 - 14:30 | |
| CVE-2009-2901 | 4.3 |
The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requ
|
13-02-2023 - 02:20 | 28-01-2010 - 20:30 | |
| CVE-2008-5515 | 5.0 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to b
|
13-02-2023 - 02:19 | 16-06-2009 - 21:00 | |
| CVE-2008-3271 | 4.3 |
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an insta
|
13-02-2023 - 02:19 | 13-10-2008 - 20:00 | |
| CVE-2008-2938 | 4.3 |
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequence
|
13-02-2023 - 02:19 | 13-08-2008 - 00:41 | |
| CVE-2008-1947 | 4.3 |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.
|
13-02-2023 - 02:19 | 04-06-2008 - 19:32 | |
| CVE-2008-2370 | 5.0 |
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traver
|
13-02-2023 - 02:19 | 04-08-2008 - 01:41 | |
| CVE-2009-0781 | 4.3 |
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary
|
13-02-2023 - 02:19 | 09-03-2009 - 21:30 | |
| CVE-2009-0580 | 4.3 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, rel
|
13-02-2023 - 02:19 | 05-06-2009 - 16:00 | |
| CVE-2007-5342 | 6.4 |
The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and ov
|
13-02-2023 - 02:18 | 27-12-2007 - 22:46 | |
| CVE-2007-5333 | 5.0 |
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as se
|
13-02-2023 - 02:18 | 12-02-2008 - 01:00 | |
| CVE-2008-1232 | 4.3 |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to
|
13-02-2023 - 02:18 | 04-08-2008 - 01:41 | |
| CVE-2006-7196 | 4.3 |
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via
|
13-02-2023 - 02:17 | 10-05-2007 - 00:19 | |
| CVE-2007-1858 | 2.6 |
The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information o
|
13-02-2023 - 02:17 | 10-05-2007 - 00:19 | |
| CVE-2007-0450 | 5.0 |
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence
|
13-02-2023 - 02:17 | 16-03-2007 - 22:19 | |
| CVE-2006-7195 | 4.3 |
Cross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via certain header values.
|
13-02-2023 - 02:16 | 10-05-2007 - 00:19 | |
| CVE-2005-4838 | 4.3 |
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx
|
13-02-2023 - 02:16 | 31-12-2005 - 05:00 | |
| CVE-2011-2526 | 4.4 |
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restri
|
13-02-2023 - 01:20 | 14-07-2011 - 23:55 | |
| CVE-2011-0013 | 4.3 |
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the displ
|
13-02-2023 - 01:18 | 19-02-2011 - 01:00 | |
| CVE-2009-2902 | 4.3 |
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.
|
13-02-2023 - 01:17 | 28-01-2010 - 20:30 | |
| CVE-2009-0033 | 5.0 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with i
|
13-02-2023 - 01:17 | 05-06-2009 - 16:00 | |
| CVE-2009-0783 | 4.6 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3)
|
13-02-2023 - 01:17 | 05-06-2009 - 16:00 | |
| CVE-2011-1184 | 5.0 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypas
|
13-02-2023 - 00:15 | 14-01-2012 - 21:55 | |
| CVE-2005-2090 | 4.3 |
Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header
|
15-04-2019 - 16:29 | 05-07-2005 - 04:00 | |
| CVE-2011-5064 | 4.3 |
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for
|
25-03-2019 - 11:33 | 14-01-2012 - 21:55 | |
| CVE-2011-5062 | 5.0 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via
|
25-03-2019 - 11:33 | 14-01-2012 - 21:55 | |
| CVE-2011-5063 | 4.3 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging t
|
25-03-2019 - 11:33 | 14-01-2012 - 21:55 | |
| CVE-2011-2204 | 1.9 |
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive inf
|
25-03-2019 - 11:33 | 29-06-2011 - 17:55 | |
| CVE-2012-0022 | 5.0 |
Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters
|
25-03-2019 - 11:33 | 19-01-2012 - 04:01 | |
| CVE-2010-2227 | 6.4 |
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via
|
25-03-2019 - 11:32 | 13-07-2010 - 17:30 | |
| CVE-2009-3548 | 7.5 |
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
|
25-03-2019 - 11:31 | 12-11-2009 - 23:30 | |
| CVE-2009-2693 | 5.8 |
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat
|
25-03-2019 - 11:30 | 28-01-2010 - 20:30 | |
| CVE-2007-6286 | 4.3 |
Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recen
|
25-03-2019 - 11:29 | 12-02-2008 - 01:00 | |
| CVE-2007-5461 | 3.5 |
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write reque
|
25-03-2019 - 11:29 | 15-10-2007 - 18:17 | |
| CVE-2006-3835 | 5.0 |
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.
|
25-03-2019 - 11:29 | 25-07-2006 - 13:22 | |
| CVE-2007-2449 | 4.3 |
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote att
|
25-03-2019 - 11:29 | 14-06-2007 - 23:30 | |
| CVE-2007-2450 | 3.5 |
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote
|
25-03-2019 - 11:29 | 14-06-2007 - 23:30 | |
| CVE-2005-3510 | 5.0 |
Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files.
|
25-03-2019 - 11:29 | 06-11-2005 - 11:02 | |
| CVE-2007-1355 | 4.3 |
Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attacker
|
25-03-2019 - 11:29 | 21-05-2007 - 20:30 | |
| CVE-2012-5885 | 5.0 |
The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce)
|
19-09-2017 - 01:35 | 17-11-2012 - 19:55 | |
| CVE-2012-5886 | 5.0 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers t
|
29-08-2017 - 01:32 | 17-11-2012 - 19:55 | |
| CVE-2012-5887 | 5.0 |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it e
|
29-08-2017 - 01:32 | 17-11-2012 - 19:55 |