CVE-2019-17563
- EPSS 10.69%
- Veröffentlicht 23.12.2019 17:15:11
- Zuletzt bearbeitet 21.11.2024 04:32:32
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be p...
CVE-2019-10072
- EPSS 72.99%
- Veröffentlicht 21.06.2019 18:15:09
- Zuletzt bearbeitet 21.11.2024 04:18:20
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) cl...
CVE-2019-0221
- EPSS 45.57%
- Veröffentlicht 28.05.2019 22:29:00
- Zuletzt bearbeitet 21.11.2024 04:16:31
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debu...
CVE-2019-2684
- EPSS 37.62%
- Veröffentlicht 23.04.2019 19:32:55
- Zuletzt bearbeitet 21.11.2024 04:41:21
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthen...
CVE-2019-0232
- EPSS 99.65%
- Veröffentlicht 15.04.2019 15:29:00
- Zuletzt bearbeitet 21.11.2024 04:16:33
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments...
CVE-2019-0199
- EPSS 72.86%
- Veröffentlicht 10.04.2019 15:29:00
- Zuletzt bearbeitet 21.11.2024 04:16:28
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping str...
CVE-2018-11784
- EPSS 94.49%
- Veröffentlicht 04.10.2018 13:29:00
- Zuletzt bearbeitet 21.11.2024 03:44:01
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause...
CVE-2018-1336
- EPSS 20.6%
- Veröffentlicht 02.08.2018 14:29:00
- Zuletzt bearbeitet 21.11.2024 03:59:38
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and ...
CVE-2018-8037
- EPSS 12.06%
- Veröffentlicht 02.08.2018 14:29:00
- Zuletzt bearbeitet 21.11.2024 04:13:09
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present ...
CVE-2018-8034
- EPSS 21.3%
- Veröffentlicht 01.08.2018 18:29:00
- Zuletzt bearbeitet 21.11.2024 04:13:08
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.