Apache

Tomcat

263 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 21.98%
  • Veröffentlicht 16.05.2018 16:29:00
  • Zuletzt bearbeitet 21.11.2024 04:13:05

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter ...

  • EPSS 17.38%
  • Veröffentlicht 28.02.2018 20:29:00
  • Zuletzt bearbeitet 21.11.2024 03:59:35

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definiti...

  • EPSS 14.74%
  • Veröffentlicht 23.02.2018 23:29:00
  • Zuletzt bearbeitet 21.11.2024 03:59:35

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way ap...

  • EPSS 6.2%
  • Veröffentlicht 31.01.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:15:02

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script...

Warnung Exploit
  • EPSS 99.99%
  • Veröffentlicht 04.10.2017 01:29:02
  • Zuletzt bearbeitet 21.04.2026 17:03:52

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload ...

Warnung Exploit
  • EPSS 99.61%
  • Veröffentlicht 19.09.2017 13:29:00
  • Zuletzt bearbeitet 21.04.2026 17:04:04

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP...

  • EPSS 70.8%
  • Veröffentlicht 19.09.2017 13:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

  • EPSS 8.32%
  • Veröffentlicht 11.08.2017 02:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for t...

  • EPSS 8.04%
  • Veröffentlicht 11.08.2017 02:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poi...

  • EPSS 10.14%
  • Veröffentlicht 11.08.2017 02:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted U...