Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: github issues

 Sponsor

Project: tomcat9-config

com.github.hazendaz.tomcat:tomcat9-config:9.0.109

Scan Information (show all):

Summary

Summary of Vulnerable Dependencies (click to show all)

DependencyVulnerability IDsPackageHighest SeverityCVE CountConfidenceEvidence Count
checker-qual-3.50.0.jarpkg:maven/org.checkerframework/checker-qual@3.50.0 044
error_prone_annotations-2.41.0.jarpkg:maven/com.google.errorprone/error_prone_annotations@2.41.0 029
j2objc-annotations-3.1.jarpkg:maven/com.google.j2objc/j2objc-annotations@3.1 033
jsr305-3.0.2.jarpkg:maven/com.google.code.findbugs/jsr305@3.0.2 017
lombok-1.18.40.jar: mavenEcjBootstrapAgent.jar 07
lombok-1.18.40.jarpkg:maven/org.projectlombok/lombok@1.18.40 036
modernizer-maven-annotations-3.2.0.jarpkg:maven/org.gaul/modernizer-maven-annotations@3.2.0 019
spotbugs-annotations-4.9.4.jarpkg:maven/com.github.spotbugs/spotbugs-annotations@4.9.4 053
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: annotations-api.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
 0Low30
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: bootstrap.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:* 0Highest16
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: catalina-ant.jarcpe:2.3:a:apache:ant:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
 0High14
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: catalina-ha.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:* 0Highest22
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: catalina.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
 0Highest20
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: commons-daemon.jarcpe:2.3:a:apache:apache_commons_daemon:1.4.1:*:*:*:*:*:*:*pkg:maven/commons-daemon/commons-daemon@1.4.1 0Low86
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: ecj-4.20.jar 025
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: el-api.jarcpe:2.3:a:apache:tomcat:3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
CRITICAL*32Medium20
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jasper-el.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:* 0Low26
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jasper.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:* 0Highest20
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jaspic-api.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
 0Low38
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jsp-api.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
 0Low39
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: sample.war 08
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: servlet-api.jarcpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
CRITICAL*31Medium41
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: taglibs-standard-impl-1.2.5.jarcpe:2.3:a:apache:standard_taglibs:1.2.5:*:*:*:*:*:*:*pkg:maven/org.apache.taglibs/taglibs-standard-impl@1.2.5 0Highest54
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-api.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
 0Highest18
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-i18n-cs.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
 0Low9
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-i18n-fr.jarcpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*
cpe:2.3:a:nfr:nfr:9.0.109:*:*:*:*:*:*:*
 0Low9
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-juli.jarcpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:* 0Highest18
tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: websocket-api.jar 025

* indicates the dependency has a known exploited vulnerability

Dependencies (vulnerable)

checker-qual-3.50.0.jar

Description:

checker-qual contains annotations (type qualifiers) that a programmerwrites to specify Java code for type-checking by the Checker Framework.

License:

The MIT License: http://opensource.org/licenses/MIT
File Path: C:\Users\Jeremy\.m2\repository\org\checkerframework\checker-qual\3.50.0\checker-qual-3.50.0.jar
MD5: 9ba0141d2867c83e957c7813b5c76241
SHA1: a403b605cdffc4ce06e70406b1426a41b0904266
SHA256:e268d1d5cb6029f06cfdff8fb638383ff22556039da25386a00c287da6a52dbe
Referenced In Project/Scope: tomcat9-config:compile
checker-qual-3.50.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.109

Identifiers

error_prone_annotations-2.41.0.jar

Description:

Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.

License:

Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\errorprone\error_prone_annotations\2.41.0\error_prone_annotations-2.41.0.jar
MD5: 75e3b25da8b8a2136463c4674f5e49bf
SHA1: 4381275efdef6ddfae38f002c31e84cd001c97f0
SHA256:a56e782b5b50811ac204073a355a21d915a2107fce13ec711331ad036f660fcc
Referenced In Project/Scope: tomcat9-config:provided
error_prone_annotations-2.41.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.109

Identifiers

j2objc-annotations-3.1.jar

Description:

    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\j2objc\j2objc-annotations\3.1\j2objc-annotations-3.1.jar
MD5: abe8bd3abff622b9a8b15c3a737aa741
SHA1: a892ca9507839bbdb900d64310ac98256cab992f
SHA256:84d3a150518485f8140ea99b8a985656749629f6433c92b80c75b36aba3b099b
Referenced In Project/Scope: tomcat9-config:provided
j2objc-annotations-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.109

Identifiers

jsr305-3.0.2.jar

Description:

JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\com\google\code\findbugs\jsr305\3.0.2\jsr305-3.0.2.jar
MD5: dd83accb899363c32b07d7a1b2e4ce40
SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d
SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7
Referenced In Project/Scope: tomcat9-config:provided
jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.9.4

Identifiers

lombok-1.18.40.jar: mavenEcjBootstrapAgent.jar

File Path: C:\Users\Jeremy\.m2\repository\org\projectlombok\lombok\1.18.40\lombok-1.18.40.jar\lombok\launch\mavenEcjBootstrapAgent.jar
MD5: 885d5d6be90a5dcd4b82cdf741e3f31a
SHA1: e1f7f1779f40157fd0b984c1bc32a0cb45cae66e
SHA256:74a80a6ee84e5c6fe497dfcc46a46dbe30578525e747eb531e918ee0750c8da9
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

  • None

lombok-1.18.40.jar

Description:

Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!

License:

The MIT License: https://projectlombok.org/LICENSE
File Path: C:\Users\Jeremy\.m2\repository\org\projectlombok\lombok\1.18.40\lombok-1.18.40.jar
MD5: 2d434bde0d5697e593f19d965c611250
SHA1: 398c6d2d7c42c96b65e78d2ddc9be0058c163453
SHA256:b764c3a1b0c86748c9e2e80d64e03d45402ce3edeb631fa81e30a56bffa6daf3
Referenced In Project/Scope: tomcat9-config:provided
lombok-1.18.40.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.109

Identifiers

modernizer-maven-annotations-3.2.0.jar

File Path: C:\Users\Jeremy\.m2\repository\org\gaul\modernizer-maven-annotations\3.2.0\modernizer-maven-annotations-3.2.0.jar
MD5: 127396b14eb51fd93eb587308f079768
SHA1: 23a99089ff682152e86ab1691a8232db325def09
SHA256:9f9396f361f0d45d435355c1f2b57980307abd81f3131083ec18f54fbbaa5ecb
Referenced In Project/Scope: tomcat9-config:provided
modernizer-maven-annotations-3.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.109

Identifiers

spotbugs-annotations-4.9.4.jar

Description:

Annotations the SpotBugs tool supports

License:

GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: C:\Users\Jeremy\.m2\repository\com\github\spotbugs\spotbugs-annotations\4.9.4\spotbugs-annotations-4.9.4.jar
MD5: e0a648c2d3d3acdff414402175407a94
SHA1: 071d1be50e7c79317f2cb599b1da571dc5fcd8bf
SHA256:85973144dd267fbeb15721cf99febb75c662c18e01b1a794cd6b4860a810f90b
Referenced In Project/Scope: tomcat9-config:provided
spotbugs-annotations-4.9.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.hazendaz.tomcat/tomcat9-config@9.0.109

Identifiers

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: annotations-api.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\annotations-api.jar
MD5: 85772ff11e1d80a81ca5540c5a8133e3
SHA1: 1e4777fe618f1c6dd71225a3e4f8d6e71af3c845
SHA256:3087fc085dfb184bcdb5dae7dce51e588c530f02afa8230949d14e04427442d5
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

  • cpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  
  • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: bootstrap.jar

File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\bin\bootstrap.jar
MD5: eccb95fd0cab00fd4acfdbc5931b554c
SHA1: 66dd7b5abc2cc5e90f4a44fc6fa968601c30efc3
SHA256:6495cb9fb6d7ca8427da7331c31a52585c4c1b9e2aee8d7be737b1c2c6ae47c9
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: catalina-ant.jar

File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\catalina-ant.jar
MD5: 3ad0eeb3f12ea9d769156175502ca1f5
SHA1: e8e7066b2947c1fa10a9b69fd55f864f879ad18e
SHA256:531ba6b77370e50fe4c423b315e42b009fae1aec5ad5dfdcc4d5c5fb30ac48b7
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: catalina-ha.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\catalina-ha.jar
MD5: c04f61af1043618f1381a973baa71211
SHA1: ebb2e11e1bcd15a17969d2aa4b7e5e4cf9f4af20
SHA256:7c7d3e145b6ec2d28a392532810568707ac79c26a7ab36f9646dc67e77706a0a
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: catalina.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\catalina.jar
MD5: d23754a4462e7f300d9aa6bcbf927729
SHA1: 7bb8daf4d49f72ea0b1b5457e9505315b003453c
SHA256:8b9c43f23b859aa593c4522ff2db15f97dbb209987817fbecba921cff1feb52c
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: commons-daemon.jar

Description:

    Apache Commons Daemon software is a set of utilities and Java support
    classes for running Java applications as server processes. These are
    commonly known as 'daemon' processes in Unix terminology (hence the
    name). On Windows they are called 'services'.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\bin\commons-daemon.jar
MD5: 00d973e42c1620f71f81e6c78d02fa2d
SHA1: 8308391bc284f7890139b58272819480594135fb
SHA256:fd306f20fbe9ab60c2e06a8b8bdda786d8d2e1a10bfe475cde89f1b7864f4e7e
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: ecj-4.20.jar

File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\ecj-4.20.jar
MD5: ee47966a67cd4019f1b8ccac74ba8dca
SHA1: 4837be609a3368a0f7e7cf0dc1bdbc7fe94993de
SHA256:ac0ba5876eaf7ebb47749a0d1be179c51f194b9dd0b875d1c09e1b530f5a2db5
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

  • None

tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: el-api.jar

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\el-api.jar
MD5: 36349d8fdee4b3e59ab3595a9569c97c
SHA1: f3ba364171d2da51e3035de708d426f97bebcaff
SHA256:181f192673252e35551e6da555f2ab3f8e06a91cf4a42d14b64da46a95024970
Referenced In Project/Scope: tomcat9-config:provided

Identifiers

CVE-2016-8735  

CISA Known Exploited Vulnerability:
  • Product: Apache Tomcat
  • Name: Apache Tomcat Remote Code Execution Vulnerability
  • Date Added: 2023-05-12
  • Description: Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
  • Required Action: Apply updates per vendor instructions.
  • Due Date: 2023-06-02
  • Notes: https://tomcat.apache.org/security-9.html; https://nvd.nist.gov/vuln/detail/CVE-2016-8735

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
NVD-CWE-noinfo

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A
CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2025-24813  

CISA Known Exploited Vulnerability:
  • Product: Apache Tomcat
  • Name: Apache Tomcat Path Equivalence Vulnerability
  • Date Added: 2025-04-01
  • Description: Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
  • Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
  • Due Date: 2025-04-22
  • Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq ; https://nvd.nist.gov/vuln/detail/CVE-2025-24813

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions 
may also be affected.


If all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to       perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
CWE-44 Path Equivalence: 'file.name' (Internal Dot), CWE-502 Deserialization of Untrusted Data, CWE-706 Use of Incorrectly-Resolved Name or Reference

CVSSv3:
  • Base Score: CRITICAL (9.8)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

References:

Vulnerable Software & Versions: (show all)

CVE-2020-8022  

A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
CWE-276 Incorrect Default Permissions

CVSSv3:
  • Base Score: HIGH (7.8)
  • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A
CVSSv2:
  • Base Score: HIGH (7.2)
  • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C

References:

Vulnerable Software & Versions: (show all)

CVE-2002-0493  

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
CWE-254 7PK - Security Features

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions:

CVE-2009-3548  

The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
CWE-255 Credentials Management Errors

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-2185  

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.  NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: HIGH (7.5)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0044  

Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2013-4444  

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:
  • af854a3a-2127-422b-91ae-364da2661108 - PATCH
  • secalert@redhat.com - PATCH

Vulnerable Software & Versions: (show all)

CVE-2013-6357  

Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI.  NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.
CWE-352 Cross-Site Request Forgery (CSRF)

CVSSv2:
  • Base Score: MEDIUM (6.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2000-0760  

The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (6.4)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2013-4286  

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
CWE-20 Improper Input Validation

CVSSv2:
  • Base Score: MEDIUM (5.8)
  • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2000-0672  

The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
NVD-CWE-noinfo

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2000-1210  

Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2001-0590  

Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2002-1148  

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2002-2006  

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0042  

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0043  

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions: (show all)

CVE-2003-0045  

Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2005-0808  

Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
NVD-CWE-Other

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2008-0128  

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CWE-16 Configuration

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

References:

Vulnerable Software & Versions:

CVE-2014-0075  

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
CWE-189 Numeric Errors

CVSSv2:
  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

References:

Vulnerable Software & Versions: (show all)

CVE-2005-4838  

Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp.  NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

Vulnerable Software & Versions:

CVE-2006-7196  

Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors.  NOTE: this may be related to CVE-2006-0254.1.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv2:
  • Base Score: MEDIUM (4.3)
  • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

References:

    Vulnerable Software & Versions: (show all)

    CVE-2007-2449  

    Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
    NVD-CWE-Other

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

    References:
    • af854a3a-2127-422b-91ae-364da2661108 - PATCH
    • secalert@redhat.com - PATCH

    Vulnerable Software & Versions: (show all)

    CVE-2009-2696  

    Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

    References:

    Vulnerable Software & Versions:

    CVE-2013-4322  

    Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
    CWE-20 Improper Input Validation

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2013-4590  

    Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
    CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2014-0096  

    java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
    CWE-264 Permissions, Privileges, and Access Controls

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2014-0099  

    Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
    CWE-189 Numeric Errors

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2014-0119  

    Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
    CWE-264 Permissions, Privileges, and Access Controls

    CVSSv2:
    • Base Score: MEDIUM (4.3)
    • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2007-1358  

    Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
    CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    CVSSv2:
    • Base Score: LOW (2.6)
    • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

    References:

    Vulnerable Software & Versions: (show all)

    tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jasper-el.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\jasper-el.jar
    MD5: 731ad979189665574ec70558e110f840
    SHA1: 3b37823629b871a2bc24fc82a760ea4e46127cbd
    SHA256:57c905923870ca60a926240d45df0bbf102a164b3fa333a3653dd452ae85e1f2
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  

    tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jasper.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\jasper.jar
    MD5: da809cb77624fc648ba9a2c9ea7f0e3d
    SHA1: 13f41659986b02b385c458ebdfdcfe5f54e8de79
    SHA256:a6174d891024029096d3c65867d7d3eb0fedf22efdf8d30aa53f05779056b174
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jaspic-api.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\jaspic-api.jar
    MD5: bc8cf0eacdd2715bd7732a4195de6623
    SHA1: f5b37fa086ec41913c03f9e3b1b39a3c7f067bb4
    SHA256:caaff646f8c49dbb4acd0cc57017620ae363b44154e3a06a1cf69dee4120ad39
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • cpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  
    • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  

    tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: jsp-api.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\jsp-api.jar
    MD5: 50731b6b0c79e117ded40517f2572b08
    SHA1: 085e847f133f452f67f828d4d323dc389d4ce72d
    SHA256:8e102389730910d36f3684fb2736680cefd0186b80c1e493bd25f761dc4ef1d7
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • cpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  
    • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  

    tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: sample.war

    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\webapps\docs\appdev\sample\sample.war
    MD5: 570f196c4a1025a717269d16d11d6f37
    SHA1: 80f5053b166c69d81697ba21113c673f8372aca0
    SHA256:89b33caa5bf4cfd235f060c396cb1a5acb2734a1366db325676f48c5f5ed92e5
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    • None

    tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: servlet-api.jar

    License:

    https://www.apache.org/licenses/LICENSE-2.0.txt
    File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\servlet-api.jar
    MD5: d9a8b0b62cd9cc6c69ab3c811723154b
    SHA1: 5ee6b5c0750edae16a9d742e0dce2b2e145716c4
    SHA256:4b92d8c93eb6a539891716c5f2e66b39bb83d1645b7b8bdadda95bc624454c02
    Referenced In Project/Scope: tomcat9-config:provided

    Identifiers

    CVE-2016-8735  

    CISA Known Exploited Vulnerability:
    • Product: Apache Tomcat
    • Name: Apache Tomcat Remote Code Execution Vulnerability
    • Date Added: 2023-05-12
    • Description: Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
    • Required Action: Apply updates per vendor instructions.
    • Due Date: 2023-06-02
    • Notes: https://tomcat.apache.org/security-9.html; https://nvd.nist.gov/vuln/detail/CVE-2016-8735

    Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
    NVD-CWE-noinfo

    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A
    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2025-24813  

    CISA Known Exploited Vulnerability:
    • Product: Apache Tomcat
    • Name: Apache Tomcat Path Equivalence Vulnerability
    • Date Added: 2025-04-01
    • Description: Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
    • Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    • Due Date: 2025-04-22
    • Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq ; https://nvd.nist.gov/vuln/detail/CVE-2025-24813

    Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
    
    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
    The following versions were EOL at the time the CVE was created but are 
    known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions 
    may also be affected.
    
    
    If all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:
    - writes enabled for the default servlet (disabled by default)
    - support for partial PUT (enabled by default)
    - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
    - attacker knowledge of the names of security sensitive files being uploaded
    - the security sensitive files also being uploaded via partial PUT
    
    If all of the following were true, a malicious user was able to       perform remote code execution:
    - writes enabled for the default servlet (disabled by default)
    - support for partial PUT (enabled by default)
    - application was using Tomcat's file based session persistence with the default storage location
    - application included a library that may be leveraged in a deserialization attack
    
    Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
    CWE-44 Path Equivalence: 'file.name' (Internal Dot), CWE-502 Deserialization of Untrusted Data, CWE-706 Use of Incorrectly-Resolved Name or Reference

    CVSSv3:
    • Base Score: CRITICAL (9.8)
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:3.9/RC:R/MAV:A

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2002-2272  

    Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.
    CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

    CVSSv2:
    • Base Score: HIGH (7.8)
    • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:C

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2020-8022  

    A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
    CWE-276 Incorrect Default Permissions

    CVSSv3:
    • Base Score: HIGH (7.8)
    • Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:1.8/RC:R/MAV:A
    CVSSv2:
    • Base Score: HIGH (7.2)
    • Vector: /AV:L/AC:L/Au:N/C:C/I:C/A:C

    References:

    Vulnerable Software & Versions: (show all)

    CVE-2002-1394  

    Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.
    NVD-CWE-Other

    CVSSv2:
    • Base Score: HIGH (7.5)
    • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

    References:

      Vulnerable Software & Versions: (show all)

      CVE-2009-3548  

      The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
      CWE-255 Credentials Management Errors

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-2185  

      The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.  NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue
      CWE-20 Improper Input Validation

      CVSSv2:
      • Base Score: HIGH (7.5)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-4444  

      Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
      CWE-94 Improper Control of Generation of Code ('Code Injection')

      CVSSv2:
      • Base Score: MEDIUM (6.8)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

      References:
      • af854a3a-2127-422b-91ae-364da2661108 - PATCH
      • secalert@redhat.com - PATCH

      Vulnerable Software & Versions: (show all)

      CVE-2013-6357  

      Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI.  NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator.
      CWE-352 Cross-Site Request Forgery (CSRF)

      CVSSv2:
      • Base Score: MEDIUM (6.8)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2013-4286  

      Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
      CWE-20 Improper Input Validation

      CVSSv2:
      • Base Score: MEDIUM (5.8)
      • Vector: /AV:N/AC:M/Au:N/C:P/I:P/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2002-1148  

      The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
      NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2002-2006  

      The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
      NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2003-0866  

      The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests.
      NVD-CWE-Other

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2008-0128  

      The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
      CWE-16 Configuration

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:P/I:N/A:N

      References:

      Vulnerable Software & Versions:

      CVE-2014-0075  

      Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
      CWE-189 Numeric Errors

      CVSSv2:
      • Base Score: MEDIUM (5.0)
      • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:P

      References:

      Vulnerable Software & Versions: (show all)

      CVE-2005-4838  

      Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp.  NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

      References:

      Vulnerable Software & Versions:

      CVE-2006-7196  

      Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors.  NOTE: this may be related to CVE-2006-0254.1.
      CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

      CVSSv2:
      • Base Score: MEDIUM (4.3)
      • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

      References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-1355  

        Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors.
        NVD-CWE-Other

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-2449  

        Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
        NVD-CWE-Other

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:
        • af854a3a-2127-422b-91ae-364da2661108 - PATCH
        • secalert@redhat.com - PATCH

        Vulnerable Software & Versions: (show all)

        CVE-2007-3383  

        Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages.
        NVD-CWE-Other

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2008-2938  

        Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370.  NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
        CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2009-2696  

        Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions:

        CVE-2013-4322  

        Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
        CWE-20 Improper Input Validation

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:N/A:P

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2013-4590  

        Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
        CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0096  

        java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0099  

        Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
        CWE-189 Numeric Errors

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2014-0119  

        Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
        CWE-264 Permissions, Privileges, and Access Controls

        CVSSv2:
        • Base Score: MEDIUM (4.3)
        • Vector: /AV:N/AC:M/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-2450  

        Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors.
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: LOW (3.5)
        • Vector: /AV:N/AC:M/Au:S/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2007-5461  

        Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
        CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

        CVSSv2:
        • Base Score: LOW (3.5)
        • Vector: /AV:N/AC:M/Au:S/C:P/I:N/A:N

        References:
        • af854a3a-2127-422b-91ae-364da2661108 - EXPLOIT
        • secalert@redhat.com - EXPLOIT

        Vulnerable Software & Versions: (show all)

        CVE-2007-1358  

        Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
        CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

        CVSSv2:
        • Base Score: LOW (2.6)
        • Vector: /AV:N/AC:H/Au:N/C:N/I:P/A:N

        References:

        Vulnerable Software & Versions: (show all)

        CVE-2008-5519  

        The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
        CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

        CVSSv2:
        • Base Score: LOW (2.6)
        • Vector: /AV:N/AC:H/Au:N/C:P/I:N/A:N

        References:

        Vulnerable Software & Versions: (show all)

        tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: taglibs-standard-impl-1.2.5.jar

        Description:

                An implementation of the JSP Standard Tag Library (JSTL).
            

        License:

        http://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\webapps\examples\WEB-INF\lib\taglibs-standard-impl-1.2.5.jar
        MD5: 8e5c8db242fbef3db1acfcbb3bc8ec8b
        SHA1: 9b9783ccb2a323383e6e20e36d368f8997b71967
        SHA256:d075cb77d94e2d115b4d90a897b57d65cc31ed8e1b95d65361da324642705728
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-api.jar

        License:

        https://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\tomcat-api.jar
        MD5: 930a44059569e2bfec683839589027b5
        SHA1: 4aa42410ae77cfb8b7a412dab0746b214ef48c9f
        SHA256:718699a21abd6bba65a5aa6abf35dbc3c929af406e8c9bb2782ade386c835d5b
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-i18n-cs.jar

        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\tomcat-i18n-cs.jar
        MD5: 0304488a4c61e0af2a6ea1a6ec08a566
        SHA1: de04a571a3b5186803a4c1d4f1e50d259fb9130f
        SHA256:41260c083481eec56f782c39b6e4506829519e3b0fdf9c78cbc911750c629e30
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        • cpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  

        tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-i18n-fr.jar

        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\tomcat-i18n-fr.jar
        MD5: 11c21884650bc8de88bb1c4b5767ede7
        SHA1: 807093ca505a08fa8dc480109ee3118ee65b5bb0
        SHA256:453ee2645737f9c9e26f421cfca702d06cbe931e737054ec8fd04430618735ea
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        • cpe:2.3:a:apache:tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  
        • cpe:2.3:a:nfr:nfr:9.0.109:*:*:*:*:*:*:*  (Confidence:Low)  

        tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: tomcat-juli.jar

        License:

        https://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\bin\tomcat-juli.jar
        MD5: 42eba78b5018d9d0ee1c8521d1c4cea7
        SHA1: 0b7a1633483e63ee3d95fb5a5f73eb5f1649455f
        SHA256:f411a91856ddc838788f7e4612dd5a5d1a32b7d844c746f2381719ec4939c583
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        tomcat-9.0.109.tar.gz: tomcat-9.0.109.tar: websocket-api.jar

        License:

        https://www.apache.org/licenses/LICENSE-2.0.txt
        File Path: C:\Users\Jeremy\.m2\repository\org\apache\tomcat\tomcat\9.0.109\tomcat-9.0.109.tar.gz\tomcat-9.0.109.tar\apache-tomcat-9.0.109\lib\websocket-api.jar
        MD5: cd250f62242ec3fa8fc2aee38a3bbe87
        SHA1: 673c92b6283abed4e197d10f4a64e3bb1123c235
        SHA256:9ff560a58d930d0e07076039bf8a0018d69d92718a070fe6d8976cb5d2cc49e1
        Referenced In Project/Scope: tomcat9-config:provided

        Identifiers

        • None


        This report contains data retrieved from the National Vulnerability Database.
        This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog.
        This report may contain data retrieved from the Github Advisory Database (via NPM Audit API).
        This report may contain data retrieved from RetireJS.
        This report may contain data retrieved from the Sonatype OSS Index.