Vulnerabilities > Apache > Tomcat
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-23 | CVE-2018-1305 | Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. | 6.5 |
| 2018-01-31 | CVE-2017-15706 | Improperly Implemented Security Check for Standard vulnerability in Apache Tomcat As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. | 5.3 |
| 2017-10-04 | CVE-2017-12617 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. | 8.1 |
| 2017-09-19 | CVE-2017-12616 | Information Exposure vulnerability in Apache Tomcat When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. | 7.5 |
| 2017-09-19 | CVE-2017-12615 | Unrestricted Upload of File with Dangerous Type vulnerability in multiple products When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. | 8.1 |
| 2017-08-11 | CVE-2017-7675 | Path Traversal vulnerability in Apache Tomcat The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. | 7.5 |
| 2017-08-11 | CVE-2017-7674 | Insufficient Verification of Data Authenticity vulnerability in Apache Tomcat The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. | 4.3 |
| 2017-08-11 | CVE-2016-6796 | A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. | 7.5 |
| 2017-08-10 | CVE-2016-8745 | 7PK - Errors vulnerability in Apache Tomcat A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. | 7.5 |
| 2017-08-10 | CVE-2016-6817 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apache Tomcat The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. | 7.5 |