| Bug | Description |
|---|
| TEMP-0840685-CEF76B | TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory |
| CVE-2018-8037 | If an async request was completed by the application at the same time ... |
| CVE-2018-8034 | The host name verification when using TLS with the WebSocket client ... |
| CVE-2018-1336 | An improper handing of overflow in the UTF-8 decoder with ... |
| CVE-2018-1305 | Security constraints defined by annotations of Servlets in Apache ... |
| CVE-2018-1304 | The URL pattern of "" (the empty string) which exactly maps to the ... |
| CVE-2017-7675 | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and ... |
| CVE-2017-7674 | The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to ... |
| CVE-2017-6056 | It was discovered that a programming error in the processing of HTTPS ... |
| CVE-2017-5664 | The error page mechanism of the Java Servlet Specification requires ... |
| CVE-2017-5651 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the ... |
| CVE-2017-5650 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the ... |
| CVE-2017-5648 | While investigating bug 60718, it was noticed that some calls to ... |
| CVE-2017-5647 | A bug in the handling of the pipelined requests in Apache Tomcat ... |
| CVE-2017-15706 | As part of the fix for bug 61201, the documentation for Apache Tomcat ... |
| CVE-2017-12617 | When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to ... |
| CVE-2016-9775 | The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 ... |
| CVE-2016-9774 | The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 ... |
| CVE-2016-8747 | An information disclosure issue was discovered in Apache Tomcat 8.5.7 ... |
| CVE-2016-8745 | A bug in the error handling of the send file code for the NIO HTTP ... |
| CVE-2016-8735 | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x ... |
| CVE-2016-6817 | The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and ... |
| CVE-2016-6816 | The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, ... |
| CVE-2016-6797 | The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to ... |
| CVE-2016-6796 | A malicious web application running on Apache Tomcat 9.0.0.M1 to ... |
| CVE-2016-6794 | When a SecurityManager is configured, a web application's ability to ... |
| CVE-2016-6325 | The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, ... |
| CVE-2016-5425 | The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, ... |
| CVE-2016-5018 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to ... |
| CVE-2016-3092 | The MultipartStream class in Apache Commons Fileupload before 1.3.2, ... |
| CVE-2016-1240 | The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 ... |
| CVE-2016-0763 | The setGlobalContext method in ... |
| CVE-2016-0762 | The Realm implementations in Apache Tomcat versions 9.0.0.M1 to ... |
| CVE-2016-0714 | The session-persistence implementation in Apache Tomcat 6.x before ... |
| CVE-2016-0706 | Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ... |
| CVE-2015-5351 | The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x ... |
| CVE-2015-5346 | Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ... |
| CVE-2015-5345 | The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before ... |
| CVE-2015-5174 | Directory traversal vulnerability in RequestUtil.java in Apache Tomcat ... |
| CVE-2014-7810 | The Expression Language (EL) implementation in Apache Tomcat 6.x ... |
| CVE-2014-0230 | Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before ... |
| CVE-2014-0227 | java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in ... |
| CVE-2014-0119 | Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 ... |
| CVE-2014-0099 | Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in ... |
| CVE-2014-0096 | java/org/apache/catalina/servlets/DefaultServlet.java in the default ... |
| CVE-2014-0095 | java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat ... |
| CVE-2014-0075 | Integer overflow in the parseChunkHeader function in ... |
| CVE-2013-4590 | Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before ... |
| CVE-2013-4322 | Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before ... |
| CVE-2013-4286 | Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before ... |