CVE-2016-6797
- EPSS 8.07%
- Veröffentlicht 10.08.2017 22:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked ...
CVE-2016-6817
- EPSS 7.19%
- Veröffentlicht 10.08.2017 22:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.
CVE-2016-8745
- EPSS 16.04%
- Veröffentlicht 10.08.2017 22:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the...
CVE-2016-0762
- EPSS 7.99%
- Veröffentlicht 10.08.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attac...
CVE-2016-5018
- EPSS 10.3%
- Veröffentlicht 10.08.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applica...
CVE-2016-6794
- EPSS 7.15%
- Veröffentlicht 10.08.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the ...
CVE-2017-5664
- EPSS 16.57%
- Veröffentlicht 06.06.2017 14:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request...
CVE-2017-5647
- EPSS 16.84%
- Veröffentlicht 17.04.2017 16:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file pr...
CVE-2017-5648
- EPSS 13.23%
- Veröffentlicht 17.04.2017 16:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrus...
CVE-2017-5650
- EPSS 8.28%
- Veröffentlicht 17.04.2017 16:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application ...