Search CVE reports
51 – 60 of 103 results
CVE-2019-0199
Medium priorityThe HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response...
2 affected packages
tomcat8, tomcat9
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat8 | — | — | — | Fixed | Not affected |
| tomcat9 | — | — | — | Not affected | Not in release |
CVE-2018-11784
Medium prioritySome fixes available 4 of 9
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL...
4 affected packages
tomcat6, tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat6 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
| tomcat7 | Not in release | Not in release | Not in release | Vulnerable | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-8037
Medium priorityIf an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user....
2 affected packages
tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat8 | — | — | — | Fixed | Not affected |
| tomcat8.0 | — | — | — | Not in release | Not in release |
CVE-2018-8034
Low prioritySome fixes available 3 of 4
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
3 affected packages
tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-1336
Medium priorityAn improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30,...
3 affected packages
tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat7 | — | Not in release | Not in release | Not affected | Fixed |
| tomcat8 | — | Not in release | Not in release | Fixed | Fixed |
| tomcat8.0 | — | Not in release | Not in release | Not in release | Not in release |
CVE-2018-8014
Low prioritySome fixes available 5 of 7
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users...
3 affected packages
tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Fixed | Fixed |
| tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-1323
Medium priorityThe IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the...
1 affected package
tomcat8
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat8 | — | — | — | — | Not affected |
CVE-2018-1304
Medium prioritySome fixes available 3 of 5
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security...
3 affected packages
tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Not affected | Fixed |
| tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2018-1305
Medium prioritySome fixes available 3 of 5
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints...
3 affected packages
tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat7 | Not in release | Not in release | Not in release | Not affected | Vulnerable |
| tomcat8 | Not in release | Not in release | Not in release | Not affected | Fixed |
| tomcat8.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2017-15706
Negligible prioritySome fixes available 1 of 2
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to...
3 affected packages
tomcat7, tomcat8, tomcat8.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| tomcat7 | — | — | — | Not affected | Not affected |
| tomcat8 | — | — | — | Not affected | Not affected |
| tomcat8.0 | — | — | — | Not in release | Not in release |