📦 Tomcat
by Apache
🔍 What is Tomcat?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
Apache Tomcat fails to escape ANSI escape sequences in log messages, allowing attackers to inject malicious sequences when Tomcat runs in a console supporting ANSI escape sequences (primarily Windows)...
This vulnerability in Apache Tomcat allows attackers to bypass security constraints by crafting requests that evade specific rewrite rules. It affects Tomcat versions 9.0.0.M1 through 9.0.102, 10.1.0-...
This vulnerability in Apache Tomcat allows path traversal attacks via internal dot handling in filenames, potentially leading to remote code execution, information disclosure, or file corruption. It a...
A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat allows attackers to bypass security checks and write malicious files to case-insensitive file systems. This affects T...
A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat's JSP compilation allows attackers to achieve Remote Code Execution (RCE) on case-insensitive file systems when the d...
This vulnerability in Apache Tomcat allows authentication bypass when using custom Jakarta Authentication components that throw exceptions without setting proper HTTP failure status. It affects Tomcat...
A path traversal vulnerability in Apache Tomcat allows attackers to bypass security constraints protecting sensitive directories like /WEB-INF/ and /META-INF/. This affects Tomcat versions 9.0.0.M11 t...
This CVE describes an Improper Resource Shutdown or Release vulnerability in Apache Tomcat that enables a 'made you reset' attack. Attackers can exploit this to cause resource exhaustion or service di...
This vulnerability allows an attacker to cause a denial-of-service (DoS) condition in Apache Tomcat by exploiting an HTTP/2 protocol flaw. An uncooperative HTTP/2 client can prevent the server from pr...
A race condition vulnerability in Apache Tomcat's APR/Native connector when handling HTTP/2 connection closures can lead to crashes or denial of service. This affects Tomcat versions 9.0.0.M1 through ...
An integer overflow vulnerability in Apache Tomcat's multipart upload handling allows attackers to bypass configured size limits, potentially causing denial of service. This affects Tomcat versions 11...
This CVE describes an allocation of resources without limits or throttling vulnerability in Apache Tomcat. Attackers can exploit this to cause denial of service by exhausting server resources. Affecte...
This CVE describes an authentication bypass vulnerability in Apache Tomcat where PreResources or PostResources mounted at non-root paths can be accessed via unexpected alternative paths. These alterna...
This vulnerability in Apache Tomcat's CGI servlet allows attackers to bypass security constraints by exploiting improper case sensitivity handling in URI pathInfo components. It affects Tomcat version...
This vulnerability in Apache Tomcat allows attackers to cause denial of service by exploiting the TLS handshake process to trigger OutOfMemoryError conditions. It affects Tomcat versions 11.0.0-M1 thr...
This vulnerability in Apache Tomcat allows attackers to cause uncontrolled resource consumption through HTTP/2 connections. By sending excessive HTTP headers, attackers can force Tomcat to keep connec...
This vulnerability in Apache Tomcat allows denial-of-service attacks via HTTP/2 requests. Attackers can send specially crafted HTTP/2 requests that exceed header size limits, causing Tomcat to delay s...
CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server resources. This affects any system using HTTP/2, incl...
This vulnerability allows attackers to bypass request size limits in Apache Tomcat by submitting exactly maxParameterCount query parameters, potentially causing denial of service. It affects Tomcat ve...
This CVE describes a time-of-check-time-of-use (TOCTOU) vulnerability in Apache Tomcat that allows local attackers to escalate privileges. The vulnerability only affects systems where Tomcat is config...
This vulnerability in Apache Tomcat allows denial of service attacks when using specific TLS configurations. Attackers can send specially crafted TLS packets to trigger an infinite loop, causing Tomca...
This vulnerability in Apache Tomcat allows HTTP/2 cleartext (h2c) connections to leak request data between users. When processing h2c requests, Tomcat could duplicate headers and limited body content ...
This CVE describes a session fixation vulnerability in Apache Tomcat's rewrite valve that allows attackers to hijack user sessions. Attackers can fixate session IDs before authentication, then use tho...
Apache Tomcat fails to set the 'secure' attribute on session cookies when using RemoteIpFilter with X-Forwarded-Proto headers from reverse proxies. This allows session cookies to be transmitted over i...