Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: tomcat9-config

com.github.hazendaz.tomcat:tomcat9-config:9.0.106

Scan Information (show all):

Summary

Display: Showing Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
checker-qual-3.49.3.jarpkg:maven/org.checkerframework/checker-qual@3.49.3 044
error_prone_annotations-2.38.0.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.38.0 029
j2objc-annotations-3.0.0.jarpkg:maven/com.google.j2objc/j2objc-annotations@3.0.0 033
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
lombok-1.18.38.jar: mavenEcjBootstrapAgent.jar 07
lombok-1.18.38.jarpkg:maven/org.projectlombok/lombok@1.18.38 036
modernizer-maven-annotations-3.1.0.jarpkg:maven/org.gaul/modernizer-maven-annotations@3.1.0 019
spotbugs-annotations-4.9.3.jarpkg:maven/com.github.spotbugs/spotbugs-annotations@4.9.3 053
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: annotations-api.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
 0Low30
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: bootstrap.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:* 0Highest16
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: catalina-ant.jarcpe:2.3:a:apache:ant:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
 0High14
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: catalina-ha.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:* 0Highest22
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: catalina.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
 0Highest20
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: commons-daemon.jarcpe:2.3:a:apache:apache_commons_daemon:1.4.1:*:*:*:*:*:*:*pkg:maven/commons-daemon/commons-daemon@1.4.1 0Low86
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: ecj-4.20.jar 025
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: el-api.jarcpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
CRITICAL*31Medium20
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jasper-el.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:* 0Low26
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jasper.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:* 0Highest20
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jaspic-api.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
 0Low38
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jsp-api.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
 0Low39
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: sample.war 08
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: servlet-api.jarcpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
CRITICAL*30Medium41
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: taglibs-standard-impl-1.2.5.jarcpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5 0Highest54
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-api.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
 0Highest18
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-i18n-cs.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
 0Low9
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-i18n-fr.jarcpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*
cpe:2.3:a:nfr:nfr:9.0.106:*:*:*:*:*:*:*
 0Low9
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-juli.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:* 0Highest18
tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: websocket-api.jar 025

* indicates the dependency has a known exploited vulnerability

Dependencies (vulnerable)

checker-qual-3.49.3.jar

Description:

checker-qual contains annotations (type qualifiers) that a programmerwrites to specify Java code for type-checking by the Checker Framework.

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: C:\Users\Jeremy\.m2\repository\org\checkerframework\checker-qual\3.49.3\checker-qual-3.49.3.jar
MD5: 5881721126d6f442ba085fcd81145a4d
SHA1: 119a4df4ba2e6a432b23989a785f81be38a56849
SHA256:367edbf2fe9f606c1fdb5a8ba6e1c9c27625993e1ff954e3868de70bcc6416b7
Referenced In Project/Scope: tomcat9-config:compile
checker-qual-3.49.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.106

Identifiers

error_prone_annotations-2.38.0.jar

Description:

Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\errorprone\error_prone_annotations\2.38.0\error_prone_annotations-2.38.0.jar
MD5: 912f8206614000252841d89cb0461895
SHA1: fc0ae991433e8590ba51cd558421478318a74c8c
SHA256:6661d5335090a5fc61dd869d2095bc6c1e2156e3aa47a6e4ababdf64c99a7889
Referenced In Project/Scope: tomcat9-config:provided
error_prone_annotations-2.38.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.106

Identifiers

j2objc-annotations-3.0.0.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\j2objc\j2objc-annotations\3.0.0\j2objc-annotations-3.0.0.jar
MD5: f59529b29202a5baf37f491ea5ec8627
SHA1: 7399e65dd7e9ff3404f4535b2f017093bdb134c7
SHA256:88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64
Referenced In Project/Scope: tomcat9-config:provided
j2objc-annotations-3.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.106

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\code\findbugs\jsr305\3.0.2\jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope: tomcat9-config:provided
jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.9.3

Identifiers

lombok-1.18.38.jar: mavenEcjBootstrapAgent.jar

File Path: C:\Users\Jeremy\.m2\repository\org\projectlombok\lombok\1.18.38\lombok-1.18.38.jar\lombok\launch\mavenEcjBootstrapAgent.jar
MD5: 885d5d6be90a5dcd4b82cdf741e3f31a
SHA1: e1f7f1779f40157fd0b984c1bc32a0cb45cae66e
SHA256:74a80a6ee84e5c6fe497dfcc46a46dbe30578525e747eb531e918ee0750c8da9
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

  • None

lombok-1.18.38.jar

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: https://projectlombok.org/LICENSE
File Path: C:\Users\Jeremy\.m2\repository\org\projectlombok\lombok\1.18.38\lombok-1.18.38.jar
MD5: 789cacd8d3969e9d23e6e6baec747f70
SHA1: 57f8f5e02e92a30fd21b80cbd426a4172b5f8e29
SHA256:1e1e427c36ff63c44fd30ef292d9e773ea3154460ab6265d3fed7e6f5bc50fb9
Referenced In Project/Scope: tomcat9-config:provided
lombok-1.18.38.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.106

Identifiers

modernizer-maven-annotations-3.1.0.jar

File Path: C:\Users\Jeremy\.m2\repository\org\gaul\modernizer-maven-annotations\3.1.0\modernizer-maven-annotations-3.1.0.jar
MD5: b188aef3e94d39c7e7a8ebb6b740559f
SHA1: 06eeda8c72054cfccf610ae772f606dbd13acf32
SHA256:1b4e8adc970715721846afeb632edd1c9dc9c07dc052b691c0c8d899c9b9f017
Referenced In Project/Scope: tomcat9-config:provided
modernizer-maven-annotations-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.106

Identifiers

spotbugs-annotations-4.9.3.jar

Description:

Annotations the SpotBugs tool supports

License:

GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: C:\Users\Jeremy\.m2\repository\com\github\spotbugs\spotbugs-annotations\4.9.3\spotbugs-annotations-4.9.3.jar
MD5: 6149845e438bd5a34ebaf81f8bc9e243
SHA1: 4d362bffcfdfd734999e94d7d98fde678aae71cf
SHA256:13532bfe2f45fcd491432221df72d9cd0efb8f987c9245e12befa192c8925ce3
Referenced In Project/Scope: tomcat9-config:provided
spotbugs-annotations-4.9.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.106

Identifiers

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: annotations-api.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\annotations-api.jar
MD5: bf0f4a77e8da4e7e231295b5016bcdfd
SHA1: 9cdcf719f4685a38cd4469e103b249936e5c5f24
SHA256:a67b91aad6306d758c6eab70a8d56e2f523dc0f66522525a0212737643adf341
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

  • cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: bootstrap.jar

File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\bin\bootstrap.jar
MD5: b9f06564100c3146b701a10e8e3d3bbc
SHA1: a85a07f6821fb857d2550b8f0e358f86e68936d4
SHA256:242634bbf006d2349713a213f811ff4f4b3ac8938caa6c5eef2e27b3b3c9dd74
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: catalina-ant.jar

File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\catalina-ant.jar
MD5: d78f557df59e75006bbf61ac74f9d96e
SHA1: 5df393fbbf13c4d5431b787b391ac7d68d875764
SHA256:84f8951ebe2e6bf63ad6ad1d38cfb2999684b371c8fc050c11ad1f4b58a9d492
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: catalina-ha.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\catalina-ha.jar
MD5: bd27da59739e8c9a37e9a4cae130d3fe
SHA1: 2262951434c017bfad6ac5cc821a765dafefd7d5
SHA256:8a02727fe4f06c49e4bfe8330b4d3fea2b341714410be0dd0ae26477318b470c
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: catalina.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\catalina.jar
MD5: 3742397e1a9a6709f347ba9351d225a6
SHA1: b6bc7f4c94d608d242fb687f4a235c2e420764a4
SHA256:699be6c41b3dce808c4b099012fcfb4a33f60c29c29721cc551755474e840d06
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: commons-daemon.jar

Description:

    Apache Commons Daemon software is a set of utilities and Java support
    classes for running Java applications as server processes. These are
    commonly known as 'daemon' processes in Unix terminology (hence the
    name). On Windows they are called 'services'.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\bin\commons-daemon.jar
MD5: 00d973e42c1620f71f81e6c78d02fa2d
SHA1: 8308391bc284f7890139b58272819480594135fb
SHA256:fd306f20fbe9ab60c2e06a8b8bdda786d8d2e1a10bfe475cde89f1b7864f4e7e
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: ecj-4.20.jar

File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\ecj-4.20.jar
MD5: ee47966a67cd4019f1b8ccac74ba8dca
SHA1: 4837be609a3368a0f7e7cf0dc1bdbc7fe94993de
SHA256:ac0ba5876eaf7ebb47749a0d1be179c51f194b9dd0b875d1c09e1b530f5a2db5
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

  • None

tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: el-api.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\el-api.jar
MD5: 5277db21ce84ff9a01f981565c1f8500
SHA1: 969b77221dac07eff2616a12826446d2298e33ff
SHA256:9597e87b8dc150066fb03fecc9e3bc3f68d3df7a7dea00110f03c4b278d800c1
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

CVE-2016-8735  

CISA Known Exploited Vulnerability:
  • Product: Apache Tomcat
  • Name: Apache Tomcat Remote Code Execution Vulnerability
  • Date Added: 2023-05-12
  • Description: Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
  • Required Action: Apply updates per vendor instructions.
  • Due Date: 2023-06-02
  • Notes: https://tomcat.apache.org/security-9.html; https://nvd.nist.gov/vuln/detail/CVE-2016-8735

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A
CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8022  

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
CWE-276 Incorrect Default Permissions

CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A
CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C

References:

Vulnerable Software & Versions: (show all)

CVE-2002-0493  

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
CWE-254 7PK - Security Features

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions:

CVE-2009-3548  

The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
CWE-255 Credentials Management Errors

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-2185  

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.  NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0044  

Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-4444  

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:
  • af854a3a-2127-422b-91ae-364da2661108 - PATCH
  • secalert@redhat.com - PATCH

Vulnerable Software & Versions: (show all)

CVE-2013-6357  

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI.  NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2000-0760  

The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2013-4286  

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2000-0672  

The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2000-1210  

Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2001-0590  

Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2002-1148  

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2002-2006  

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0042  

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0043  

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0045  

Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2005-0808  

Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2008-0128  

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CWE-16 Configuration

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2014-0075  

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
CWE-189 Numeric Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2005-4838  

Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp.  NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2006-7196  

Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors.  NOTE: this may be related to CVE-2006-0254.1.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

    Vulnerable Software & Versions: (show all)

    CVE-2007-2449  

    Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
    NVD-CWE-Other

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

    References:
    • af854a3a-2127-422b-91ae-364da2661108 - PATCH
    • secalert@redhat.com - PATCH

    Vulnerable Software & Versions: (show all)

    CVE-2009-2696  

    Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

    References:

    Vulnerable Software & Versions:

    CVE-2013-4322  

    Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
    CWE-20 Improper Input Validation

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2013-4590  

    Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
    CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2014-0096  

    java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
    CWE-264 Permissions, Privileges, and Access Controls

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2014-0099  

    Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
    CWE-189 Numeric Errors

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2014-0119  

    Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
    CWE-264 Permissions, Privileges, and Access Controls

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2007-1358  

    Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: LOW (2.6)
    • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

    References:

    Vulnerable Software & Versions: (show all)

    tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jasper-el.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\jasper-el.jar
    MD5: 3347b31b48df0db042255c332e876707
    SHA1: 9551eb64c4e43e949fc1125294d776dd8f7db555
    SHA256:3a2aefd67e7f3ebb41d2174fd19686df1c2f3a0cbff24a2a53ee23b5cebe6c66
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  

    tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jasper.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\jasper.jar
    MD5: 23eb53326e00965fe7388e46f5157c89
    SHA1: 37cdc0b43c87e0fb156c118e152a184149dbafd5
    SHA256:b44a2af72e00440de4f9a519d96f50c9f2c1de9b3b0556dc803b014ae455b227
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jaspic-api.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\jaspic-api.jar
    MD5: 99b1b7f6160e721143e6202e71acece3
    SHA1: 481663fd7137a9f429a797b0365799a6f097a81e
    SHA256:0e6780e597523991f1e7dda958b0e074674a9317142fd4921f04531547d715da
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  
    • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  

    tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: jsp-api.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\jsp-api.jar
    MD5: 49a30e98c7b1b7efb58654d60e52ea86
    SHA1: a365e52c9f5ed7163e55b5bac4e0b81aea53153a
    SHA256:24da74b5a2a30037275fde178a730ffa9500c2658f757883898dce3f36c23a31
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  
    • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  

    tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: sample.war

    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\webapps\docs\appdev\sample\sample.war
    MD5: 570f196c4a1025a717269d16d11d6f37
    SHA1: 80f5053b166c69d81697ba21113c673f8372aca0
    SHA256:89b33caa5bf4cfd235f060c396cb1a5acb2734a1366db325676f48c5f5ed92e5
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • None

    tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: servlet-api.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\servlet-api.jar
    MD5: 0990b9eb9c5255c5511fdd93a90b88b8
    SHA1: 0284d902a8d0a726f21c1c38eb162eb6b2e73d27
    SHA256:cad693df90171c7e989a4f214268c4086722906463177447ff5eaddfd1815750
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    CVE-2016-8735  

    CISA Known Exploited Vulnerability:
    • Product: Apache Tomcat
    • Name: Apache Tomcat Remote Code Execution Vulnerability
    • Date Added: 2023-05-12
    • Description: Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
    • Required Action: Apply updates per vendor instructions.
    • Due Date: 2023-06-02
    • Notes: https://tomcat.apache.org/security-9.html; https://nvd.nist.gov/vuln/detail/CVE-2016-8735

    Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
    NVD-CWE-noinfo

    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A
    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2002-2272  

    Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.
    CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

    CVSSv2:
    • Base Score: HIGH (7.8)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2020-8022  

    A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
    CWE-276 Incorrect Default Permissions

    CVSSv3:
    • Base Score: HIGH (7.8)
    • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A
    CVSSv2:
    • Base Score: HIGH (7.2)
    • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2002-1394  

    Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.
    NVD-CWE-Other

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

    References:

      Vulnerable Software & Versions: (show all)

      CVE-2009-3548  

      The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
      CWE-255 Credentials Management Errors

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-2185  

      The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.  NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
      CWE-20 Improper Input Validation

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-4444  

      Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
      CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: MEDIUM (6.8)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

      References:
      • af854a3a-2127-422b-91ae-364da2661108 - PATCH
      • secalert@redhat.com - PATCH

      Vulnerable Software & Versions: (show all)

      CVE-2013-6357  

      Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI.  NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.
      CWE-352 Cross-Site Request Forgery (CSRF)

      CVSSv2:
      • Base Score: MEDIUM (6.8)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-4286  

      Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
      CWE-20 Improper Input Validation

      CVSSv2:
      • Base Score: MEDIUM (5.8)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2002-1148  

      The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
      NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2002-2006  

      The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
      NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2003-0866  

      The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests.
      NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2008-0128  

      The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
      CWE-16 Configuration

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions:

      CVE-2014-0075  

      Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
      CWE-189 Numeric Errors

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2005-4838  

      Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp.  NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

      References:

      Vulnerable Software & Versions:

      CVE-2006-7196  

      Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors.  NOTE: this may be related to CVE-2006-0254.1.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

      References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-1355  

        Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors.
        NVD-CWE-Other

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-2449  

        Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
        NVD-CWE-Other

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:
        • af854a3a-2127-422b-91ae-364da2661108 - PATCH
        • secalert@redhat.com - PATCH

        Vulnerable Software & Versions: (show all)

        CVE-2007-3383  

        Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages.
        NVD-CWE-Other

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2008-2938  

        Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370.  NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
        CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2009-2696  

        Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions:

        CVE-2013-4322  

        Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
        CWE-20 Improper Input Validation

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2013-4590  

        Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
        CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0096  

        java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0099  

        Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
        CWE-189 Numeric Errors

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0119  

        Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-2450  

        Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: LOW (3.5)
        • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-5461  

        Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
        CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        CVSSv2:
        • Base Score: LOW (3.5)
        • Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

        References:
        • af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT
        • secalert@redhat.com - EXPLOIT

        Vulnerable Software & Versions: (show all)

        CVE-2007-1358  

        Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: LOW (2.6)
        • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2008-5519  

        The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
        CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

        CVSSv2:
        • Base Score: LOW (2.6)
        • Vector: /AV:N/AC:H/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: taglibs-standard-impl-1.2.5.jar

        Description:

                An implementation of the JSP Standard Tag Library (JSTL).
            

        License:

        http://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\webapps\examples\WEB-INF\lib\taglibs-standard-impl-1.2.5.jar
        MD5: 8e5c8db242fbef3db1acfcbb3bc8ec8b
        SHA1: 9b9783ccb2a323383e6e20e36d368f8997b71967
        SHA256:d075cb77d94e2d115b4d90a897b57d65cc31ed8e1b95d65361da324642705728
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-api.jar

        License:

        https://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\tomcat-api.jar
        MD5: bce7e3d58c2db1d502f4789d1eb0fb3c
        SHA1: 25988775ca79afb9f7de2f947735e3004a7f686a
        SHA256:7a9b821cfbbfdc4596c4a1d803d8e26e155053680c377c858a90ec53836baa3c
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-i18n-cs.jar

        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\tomcat-i18n-cs.jar
        MD5: eeda77974ead59135d41444eebd06e4b
        SHA1: da46e30ef591251ab620eb47085e98c61babff4b
        SHA256:dc1d13bd2b34a63f3d28abb87521df5e909021a6c4d7d9013638fcb7ac512f56
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        • cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  

        tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-i18n-fr.jar

        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\tomcat-i18n-fr.jar
        MD5: 2d6dedded5d179456e39d148a315a282
        SHA1: 2fb0617bce4495b598ddf3578bfe48934f522a2c
        SHA256:80f8a768d004aefa5541df90251c7b315fc8bd81ed7186f4e254f5f2a0b6e586
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        • cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:nfr:nfr:9.0.106:*:*:*:*:*:*:*  (Confidence:Low)  

        tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: tomcat-juli.jar

        License:

        https://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\bin\tomcat-juli.jar
        MD5: 2bfc621da9687b85a15e66bc969373ee
        SHA1: b92392caa442592ba846b4b01fe5ac5459edfcaf
        SHA256:9582c33ee92d14898a70cf526638384d9e3805c80952d3294e93ccdfa672f1d1
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        tomcat-9.0.106.tar.gz: tomcat-9.0.106.tar: websocket-api.jar

        License:

        https://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.106\tomcat-9.0.106.tar.gz\tomcat-9.0.106.tar\apache-tomcat-9.0.106\lib\websocket-api.jar
        MD5: 8c9d39e3f2c481a4dab2e2fb6d101ec9
        SHA1: 2574e6d818c2dd199a55d72090b28971fa173b4c
        SHA256:9c506f2251af28e0e1dbc450746c4f43e66f304d3a08b1d932ad3c7e8eb6c6cd
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        • None


        This report contains data retrieved from the National Vulnerability Database.
        This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
        This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
        This report may contain data retrieved from RetireJS.
        This report may contain data retrieved from the Sonatype OSS Index.