CVE-2019-17563
- EPSS 3.26%
- Published 23.12.2019 17:15:11
- Last modified 21.11.2024 04:32:32
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be p...
CVE-2018-1304
- EPSS 1.79%
- Published 28.02.2018 20:29:00
- Last modified 21.11.2024 03:59:35
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definiti...
CVE-2018-1305
- EPSS 17.66%
- Published 23.02.2018 23:29:00
- Last modified 21.11.2024 03:59:35
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way ap...
CVE-2016-8735
- EPSS 93.9%
- Published 06.04.2017 21:59:00
- Last modified 20.04.2025 01:37:25
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because...