Vulnerabilities > Apache > Tomcat > 9.0.8
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-04-15 | CVE-2019-0232 | OS Command Injection vulnerability in Apache Tomcat When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. | 8.1 |
| 2019-04-10 | CVE-2019-0199 | Resource Exhaustion vulnerability in Apache Tomcat The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. | 7.5 |
| 2018-10-04 | CVE-2018-11784 | Open Redirect vulnerability in multiple products When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. | 4.3 |
| 2018-08-02 | CVE-2018-8037 | Race Condition vulnerability in multiple products If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. | 5.9 |
| 2018-08-01 | CVE-2018-8034 | Improper Certificate Validation vulnerability in multiple products The host name verification when using TLS with the WebSocket client was missing. | 7.5 |
| 2018-05-16 | CVE-2018-8014 | Insecure Default Initialization of Resource vulnerability in multiple products The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. | 9.8 |