| Bug | Description |
|---|
| CVE-2024-24549 | Denial of Service due to improper input validation vulnerability for H ... |
| CVE-2024-23672 | Denial of Service via incomplete cleanup vulnerability in Apache Tomca ... |
| CVE-2024-22029 | Insecure permissions in the packaging of tomcat allow local users that ... |
| CVE-2023-46589 | Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 1 ... |
| CVE-2023-45648 | Improper Input Validation vulnerability in Apache Tomcat.Tomcatfrom 11 ... |
| CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consum ... |
| CVE-2023-42795 | Incomplete Cleanup vulnerability in Apache Tomcat.When recycling vario ... |
| CVE-2023-42794 | Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork ... |
| CVE-2023-41080 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ... |
| CVE-2023-34981 | A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1 ... |
| CVE-2023-28709 | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 ... |
| CVE-2023-28708 | When using the RemoteIpFilter with requests received from a reverse ... |
| CVE-2023-24998 | Apache Commons FileUpload before 1.5 does not limit the number of requ ... |
| CVE-2022-45143 | The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and ... |
| CVE-2022-42252 | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10. ... |
| CVE-2022-29885 | The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 ... |
| CVE-2022-25762 | If a web application sends a WebSocket message concurrently with the W ... |
| CVE-2022-23181 | The fix for bug CVE-2020-9484 introduced a time of check, time of use ... |
| CVE-2021-43980 | The simplified implementation of blocking reads and writes introduced ... |
| CVE-2021-42340 | The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, ... |
| CVE-2021-41079 | Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10. ... |
| CVE-2021-33037 | Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5 ... |
| CVE-2021-30640 | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker ... |
| CVE-2021-30639 | A vulnerability in Apache Tomcat allows an attacker to remotely trigge ... |
| CVE-2021-25329 | The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10. ... |
| CVE-2021-25122 | When responding to new h2c connection requests, Apache Tomcat versions ... |
| CVE-2021-24122 | When serving resources from a network location using the NTFS file sys ... |
| CVE-2020-17527 | While investigating bug 64830 it was discovered that Apache Tomcat 10. ... |
| CVE-2020-13943 | If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7 ... |
| CVE-2020-13935 | The payload length in a WebSocket frame was not correctly validated in ... |
| CVE-2020-13934 | An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0. ... |
| CVE-2020-11996 | A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat ... |
| CVE-2020-9484 | When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to ... |
| CVE-2020-1938 | When using the Apache JServ Protocol (AJP), care must be taken when tr ... |
| CVE-2020-1935 | In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0. ... |
| CVE-2019-17569 | The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8 ... |
| CVE-2019-17563 | When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, ... |
| CVE-2019-12418 | When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0. ... |
| CVE-2019-10072 | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 co ... |
| CVE-2019-0232 | When running on Windows with enableCmdLineArguments enabled, the CGI S ... |
| CVE-2019-0221 | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 ... |
| CVE-2019-0199 | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5. ... |
| CVE-2018-11784 | When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, ... |
| CVE-2018-8037 | If an async request was completed by the application at the same time ... |
| CVE-2018-8034 | The host name verification when using TLS with the WebSocket client wa ... |
| CVE-2018-8014 | The defaults settings for the CORS filter provided in Apache Tomcat 9. ... |
| CVE-2018-1336 | An improper handing of overflow in the UTF-8 decoder with supplementar ... |
| CVE-2018-1305 | Security constraints defined by annotations of Servlets in Apache Tomc ... |
| CVE-2018-1304 | The URL pattern of "" (the empty string) which exactly maps to the con ... |
| CVE-2017-15706 | As part of the fix for bug 61201, the documentation for Apache Tomcat ... |
| CVE-2017-7675 | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8 ... |
| CVE-2017-7674 | The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.1 ... |
| CVE-2017-5664 | The error page mechanism of the Java Servlet Specification requires th ... |
| CVE-2017-5651 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refact ... |
| CVE-2017-5650 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handli ... |
| CVE-2017-5648 | While investigating bug 60718, it was noticed that some calls to appli ... |
| CVE-2017-5647 | A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0 ... |
| CVE-2016-8745 | A bug in the error handling of the send file code for the NIO HTTP con ... |
| CVE-2016-8735 | Remote code execution is possible with Apache Tomcat before 6.0.48, 7. ... |
| CVE-2016-6817 | The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8. ... |
| CVE-2016-6816 | The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0 ... |
| CVE-2016-5388 | Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI S ... |
| CVE-2016-3092 | The MultipartStream class in Apache Commons Fileupload before 1.3.2, a ... |
| CVE-2016-0763 | The setGlobalContext method in org/apache/naming/factory/ResourceLinkF ... |
| CVE-2016-0714 | The session-persistence implementation in Apache Tomcat 6.x before 6.0 ... |
| CVE-2016-0706 | Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, ... |
| CVE-2015-5351 | The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x ... |
| CVE-2015-5346 | Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ... |
| CVE-2015-5345 | The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7. ... |