Max CVSS | 7.8 | Min CVSS | 4.0 | Total Count | 2 |
ID | CVSS | Summary | Last (major) update | Published | |
CVE-2016-8747 | 5.0 |
An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different
|
15-10-2024 - 19:35 | 14-03-2017 - 09:59 | |
CVE-2016-8735 | 7.5 |
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because
|
27-06-2024 - 19:23 | 06-04-2017 - 21:59 | |
CVE-2016-3092 | 7.8 |
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (
|
17-07-2021 - 08:15 | 04-07-2016 - 22:59 | |
CVE-2014-0050 | 7.5 |
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that b
|
17-07-2021 - 08:15 | 01-04-2014 - 06:27 | |
CVE-2018-8014 | 7.5 |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter
|
03-10-2019 - 00:03 | 16-05-2018 - 16:29 | |
CVE-2014-7810 | 5.0 |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attacker
|
15-04-2019 - 16:30 | 07-06-2015 - 23:59 | |
CVE-2015-5345 | 5.0 |
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence o
|
15-04-2019 - 16:30 | 25-02-2016 - 01:59 | |
CVE-2015-5174 | 4.0 |
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /..
|
15-04-2019 - 16:30 | 25-02-2016 - 01:59 | |
CVE-2016-0714 | 6.5 |
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restric
|
15-04-2019 - 16:30 | 25-02-2016 - 01:59 | |
CVE-2014-0230 | 7.8 |
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (
|
15-04-2019 - 16:30 | 07-06-2015 - 23:59 | |
CVE-2016-0706 | 4.0 |
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote aut
|
15-04-2019 - 16:30 | 25-02-2016 - 01:59 | |
CVE-2013-4590 | 4.3 |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML d
|
15-04-2019 - 16:29 | 26-02-2014 - 14:55 | |
CVE-2013-4286 | 5.8 |
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identifi
|
15-04-2019 - 16:29 | 26-02-2014 - 14:55 | |
CVE-2013-4322 | 4.3 |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field
|
15-04-2019 - 16:29 | 26-02-2014 - 14:55 | |
CVE-2014-0227 | 6.4 |
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote atta
|
15-04-2019 - 16:29 | 16-02-2015 - 00:59 | |
CVE-2014-0099 | 4.3 |
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a craf
|
15-04-2019 - 16:29 | 31-05-2014 - 11:17 | |
CVE-2014-0096 | 4.3 |
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager
|
15-04-2019 - 16:29 | 31-05-2014 - 11:17 | |
CVE-2014-0119 | 4.3 |
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web a
|
15-04-2019 - 16:29 | 31-05-2014 - 11:17 | |
CVE-2014-0075 | 5.0 |
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource
|
15-04-2019 - 16:29 | 31-05-2014 - 11:17 | |
CVE-2016-0763 | 6.5 |
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, wh
|
21-03-2019 - 15:59 | 25-02-2016 - 01:59 | |
CVE-2015-5346 | 6.8 |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to
|
19-07-2018 - 01:29 | 25-02-2016 - 01:59 | |
CVE-2015-5351 | 6.8 |
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protec
|
19-07-2018 - 01:29 | 25-02-2016 - 01:59 | |
CVE-2014-0095 | 5.0 |
java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing.
|
15-11-2017 - 02:29 | 31-05-2014 - 11:17 |