pkg:Bitnami/tomcat

All known vulnerabilities

• CRITICAL9.8CVE-2025-24813⚠ KEVtomcat10 - security update
  from 0, < 9.0.99, >= 10.0.0, < 10.1.35, >= 11.0.0, < 11.0.3
• CRITICAL9.8CVE-2020-1938⚠ KEVImproper Privilege Management in Tomcat
  >= 7.0.0, < 7.0.100, >= 8.5.0, < 8.5.51, >= 9.0.0, < 9.0.31
• MEDIUM5.3⚠ KEVnghttp2 - security update
  >= 8.5.0, < 8.5.94, >= 9.0.0, < 9.0.81, >= 10.0.0, < 10.1.14
• CRITICAL9.8Apache Tomcat - Digest authenticator will authenticate any unknown user
  >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• CRITICAL9.8Apache Tomcat - HTTP/2 request headers not validated
  >= 10.0.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• CRITICAL9.8Apache Tomcat Rewrite rule bypass
  from 0, < 9.0.104, >= 10.0.0, < 10.1.40, >= 11.0.0, < 11.0.6
• CRITICAL9.8Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
  from 0, < 9.0.98, >= 10.0.0, < 10.1.34, >= 11.0.0, < 11.0.2
• CRITICAL9.8Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
  >= 9.0.0, < 9.0.98, >= 10.0.0, < 10.1.34, >= 11.0.0, < 11.0.2
• CRITICAL9.8Apache Tomcat - Authentication Bypass
  >= 9.0.0, < 9.0.96, >= 10.0.0, < 10.1.31
• CRITICAL9.6Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
  from 0, < 9.0.109, >= 10.0.0, < 10.1.45, >= 11.0.0, < 11.0.11
• CRITICAL9.1Apache Tomcat - Security constraints not correctly applied
  >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• CRITICAL9.1Apache Tomcat: CLIENT_CERT authentication does not fail as expected
  from 0, < 8.5.98, >= 9.0.83, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20
• CRITICAL9.1Apache Tomcat - Client certificate verification bypass
  >= 8.5.0, < 9.0.113, >= 10.1.0, < 10.1.50, >= 11.0.0, < 11.0.15
• HIGH8.6Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability
  >= 9.0.13, < 9.0.90, >= 10.0.0, < 10.1.25, >= 11.0.0, < 11.0.9
• HIGH8.6Improper socket reuse in Apache Tomcat
  >= 8.5.0, < 8.5.76, >= 9.0.0, < 9.0.21
• HIGH8.4Apache Tomcat installer for Windows has an untrusted search path vulnerability
  >= 9.0.23, < 9.0.107, >= 10.1.0, < 10.1.42, >= 11.0.0, < 11.0.9
• HIGH7.8Incorrect Default Permissions in Apache Tomcat
  from 0, < 9.0.35-3.57.3
• HIGH7.5Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
  >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• HIGH7.5Apache Tomcat: LockOutRealm treats user names as case-sensitive
  >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• HIGH7.5Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File
  >= 9.0.13, < 9.0.117, >= 10.1.0, < 10.1.54, >= 11.0.0, < 11.0.21
• HIGH7.5Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
  >= 9.0.40, < 9.0.117, >= 10.1.0, < 10.1.54, >= 11.0.0, < 11.0.21
• HIGH7.5Apache Tomcat Missing Encryption of Sensitive Data vulnerability
  >= 9.0.116, < 9.0.117, >= 10.1.53, < 10.1.54, >= 11.0.20, < 11.0.21
• HIGH7.5Apache Tomcat: Configured cipher preference order not preserved
  >= 9.0.114, < 9.0.116, >= 10.1.51, < 10.1.53, >= 11.0.16, < 11.0.20
• HIGH7.5Apache Tomcat has an HTTP Request/Response Smuggling vulnerability
  from 0, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20
• HIGH7.5Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
  >= 7.0.100, < 9.0.116, >= 10.0.0, < 10.1.53, >= 11.0.0, < 11.0.19
• HIGH7.5Apache Tomcat has an Improper Input Validation vulnerability
  >= 9.0.83, < 9.0.115, >= 10.1.0, < 10.1.52, >= 11.0.0, < 11.0.18
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.109, >= 10.0.0, < 10.1.45, >= 11.0.0, < 11.0.11
• HIGH7.5Apache Tomcat Improper Resource Shutdown or Release vulnerability
  from 0, < 9.0.108, >= 10.0.0, < 10.1.44, >= 11.0.0, < 11.0.10
• HIGH7.5Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams
  from 0, < 9.0.107, >= 10.0.0, < 10.1.43, >= 11.0.0, < 11.0.9
• HIGH7.5Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limits
  from 0, < 9.0.107, >= 10.0.0, < 10.1.43, >= 11.0.0, < 11.0.9
• HIGH7.5Apache Tomcat Utilities is vulnerable to resource exhaustion when using the APR/Native connector
  >= 9.0.0, < 9.0.107
• HIGH7.5Apache Tomcat - Security constraint bypass for pre/post-resources
  from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
• HIGH7.5Apache Tomcat - DoS in multipart upload
  from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
• HIGH7.5Apache Tomcat Denial of Service via invalid HTTP priority header
  >= 9.0.76, < 9.0.104, >= 10.1.10, < 10.1.40, >= 11.0.0, < 11.0.6
• HIGH7.5tomcat10 - security update
  >= 9.0.0, < 9.0.90, >= 10.0.0, < 10.1.25
• HIGH7.5Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
  >= 8.5.0, < 8.5.99, >= 9.0.0, < 9.0.86, >= 10.0.0, < 10.1.19
• HIGH7.5tomcat9 - security update
  >= 8.5.0, < 8.5.96, >= 9.0.0, < 9.0.83, >= 10.1.0, < 10.1.16
• HIGH7.5tomcat10 - security update
  >= 8.5.85, <= 8.5.87, >= 9.0.71, <= 9.0.73, >= 10.1.5, <= 10.1.7
• HIGH7.5Apache Tomcat vulnerable to information leak
  >= 8.5.88, < 8.5.89, >= 9.0.74, < 9.0.75, >= 10.1.8, < 10.1.9
• HIGH7.5Apache Tomcat improperly escapes input from JsonErrorReportValve
  >= 9.0.40, < 9.0.69, >= 8.5.83, < 8.5.84, >= 10.1.1, < 10.1.2
• HIGH7.5tomcat9 - security update
  >= 8.5.0, < 8.5.83, >= 9.0.0, < 9.0.68, >= 10.0.0, < 10.0.27, >= 10.1.0, < 10.1.1
• HIGH7.5Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption
  >= 8.5.38, < 8.5.79, >= 9.0.13, < 9.0.63, >= 10.0.0, < 10.0.21
• HIGH7.5tomcat9 - security update
  >= 8.5.0, < 8.5.56, >= 9.0.0, < 9.0.36
• HIGH7.5tomcat8 - security update
  >= 8.5.1, < 8.5.60, >= 9.0.1, < 9.0.40
• HIGH7.5Infinite Loop in Apache Tomcat
  >= 7.0.27, < 7.0.105, >= 8.5.0, < 8.5.57, >= 9.0.1, < 9.0.37
• HIGH7.5tomcat8 - security update
  >= 8.5.1, < 8.5.57, >= 9.0.1, < 9.0.37
• HIGH7.5tomcat9 - security update
  >= 8.5.60, < 8.5.72, >= 9.0.40, < 9.0.54, >= 10.0.1, < 10.0.12
• HIGH7.5tomcat9 - security update
  >= 8.5.0, < 8.5.64, >= 9.0.0, < 9.0.44, >= 10.0.0, < 10.0.3
• HIGH7.5Improper Handling of Exceptional Conditions in Apache Tomcat
  >= 8.5.64, < 8.5.65, >= 9.0.44, < 9.0.45, >= 10.0.3, < 10.0.4, >= 10.0.4, < 10.0.5
• HIGH7.5tomcat9 - security update
  >= 8.5.0, < 8.5.62, >= 9.0.0, < 9.0.42, >= 10.0.0, < 10.0.1
• HIGH7.3Apache Tomcat - WebSocket authentication header exposure
  >= 10.0.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• HIGH7.3tomcat11 - security update
  from 0, < 9.0.105, >= 10.0.0, < 10.1.41, >= 11.0.0, < 11.0.7
• HIGH7.0Race condition in Apache Tomcat
  >= 8.5.55, < 8.5.74, >= 9.0.35, < 9.0.57, >= 10.0.1, < 10.0.15
• HIGH7.0Potential remote code execution in Apache Tomcat
  >= 7.0.0, < 7.0.108, >= 8.5.0, < 8.5.62, >= 9.0.0, < 9.0.42, >= 10.0.0, < 10.0.1
• HIGH7.0tomcat7 - security update
  >= 7.0.0, < 7.0.108, >= 8.5.0, < 8.5.63, >= 9.0.1, < 9.0.43
• MEDIUM6.5Apache Tomcat: CLIENT_CERT authentication does not fail as expected
  >= 9.0.92, < 9.0.117, >= 10.1.22, < 10.1.54, >= 11.0.0, < 11.0.21
• MEDIUM6.5Apache Tomcat Session Fixation vulnerability
  from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
• MEDIUM6.5Apache Tomcat Request and/or response mix-up
  >= 9.0.92, < 9.0.96, >= 10.1.27, < 10.1.31, >= 11.0.0, < 11.0.9
• MEDIUM6.5tomcat9 - security update
  >= 7.0.0, < 7.0.109, >= 8.5.0, < 8.5.66, >= 9.0.0, < 9.0.46, >= 10.0.0, < 10.0.6
• MEDIUM6.3tomcat9 - security update
  >= 8.5.0, < 8.5.99, >= 9.0.0, < 9.0.86, >= 10.0.0, < 10.1.19
• MEDIUM6.1Apache Tomcat has an Open Redirect vulnerability
  >= 8.5.30, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20
• MEDIUM6.1Apache Tomcat - XSS in generated JSPs
  >= 9.0.96, < 9.0.97, >= 10.1.31, < 10.1.33, >= 11.0.0, < 11.0.9
• MEDIUM6.1Apache Tomcat Open Redirect vulnerability
  >= 8.5.0, < 8.5.93, >= 9.0.0, < 9.0.80, >= 10.1.0, < 10.1.13
• MEDIUM6.1Cross-site Scripting in Apache Tomcat
  >= 8.5.50, < 8.5.82, >= 9.0.30, < 9.0.65, >= 10.0.0, < 10.0.23
• MEDIUM5.9Apache Tomcat Incomplete Cleanup vulnerability
  >= 8.5.85, < 8.5.94, >= 9.0.70, < 9.0.81
• MEDIUM5.9tomcat8 - security update
  >= 7.0.0, < 7.0.107, >= 8.5.0, < 8.5.60, >= 9.0.1, < 9.0.40
• MEDIUM5.3Apache Tomcat has an Improper Input Validation vulnerability
  >= 9.0.13, < 9.0.116, >= 10.1.50, < 10.1.53, >= 11.0.15, < 11.0.20
• MEDIUM5.3Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
  from 0, < 9.0.110, >= 10.0.0, < 10.1.47, >= 11.0.0, < 11.0.12
• MEDIUM5.3Apache Tomcat Uncontrolled Resource Consumption vulnerability
  >= 9.0.0, < 9.0.98, >= 10.0.0, < 10.1.34, >= 11.0.0, < 11.0.2
• MEDIUM5.3tomcat9 - security update
  >= 8.5.7, < 8.5.98, >= 9.0.0, < 9.0.45
• MEDIUM5.3Apache Tomcat Improper Input Validation vulnerability
  >= 8.5.0, < 8.5.94, >= 9.0.1, < 9.0.81, >= 10.1.1, < 10.1.14
• MEDIUM5.3Apache Tomcat Incomplete Cleanup vulnerability
  >= 8.5.0, < 8.5.94, >= 9.0.1, < 9.0.81, >= 10.1.1, < 10.1.14
• MEDIUM5.3HTTP Request Smuggling in Apache Tomcat
  >= 8.5.0, < 8.5.67, >= 9.0.0, < 9.0.47, >= 10.0.0, < 10.0.7
• MEDIUM4.8Potential HTTP request smuggling in Apache Tomcat
  >= 7.0.0, < 7.0.100, >= 8.5.0, < 8.5.51, >= 9.0.0, < 9.0.31
• MEDIUM4.3Apache Tomcat vulnerable to Unprotected Transport of Credentials
  >= 8.5.0, < 8.5.86, >= 9.0.0, < 9.0.72, >= 10.1.0, < 10.1.6
• MEDIUM4.3tomcat9 - security update
  >= 8.5.0, < 8.5.1, >= 8.5.1, < 8.5.2, >= 8.5.2, < 8.5.3, >= 8.5.3, < 8.5.4, >= 8.5.4, < 8.5.5, >= 8.5.5, < 8.5.6, >= 8.5.6, < 8.5.7, >= 8.5.7, < 8.5.8, >= 8.5.8, < 8.5.9, >= 8.5.9, < 8.5.10, >= 8.5.10, < 8.5.11, >= 8.5.11, < 8.5.12, >= 8.5.12, < 8.5.13, >= 8.5.13, < 8.5.14, >= 8.5.14, < 8.5.15, >= 8.5.15, < 8.5.16, >= 8.5.16, < 8.5.17, >= 8.5.17, < 8.5.18, >= 8.5.18, < 8.5.19, >= 8.5.19, < 8.5.20, >= 8.5.20, < 8.5.21, >= 8.5.21, < 8.5.22, >= 8.5.22, < 8.5.23, >= 8.5.23, < 8.5.24, >= 8.5.24, < 8.5.25, >= 8.5.25, < 8.5.26, >= 8.5.26, < 8.5.27, >= 8.5.27, < 8.5.28, >= 8.5.28, < 8.5.29, >= 8.5.29, < 8.5.30, >= 8.5.30, < 8.5.31, >= 8.5.31, < 8.5.32, >= 8.5.32, < 8.5.33, >= 8.5.33, < 8.5.34, >= 8.5.34, < 8.5.35, >= 8.5.35, < 8.5.36, >= 8.5.36, < 8.5.37, >= 8.5.37, < 8.5.38, >= 8.5.38, < 8.5.39, >= 8.5.39, < 8.5.40, >= 8.5.40, < 8.5.41, >= 8.5.41, < 8.5.42, >= 8.5.42, < 8.5.43, >= 8.5.43, < 8.5.44, >= 8.5.44, < 8.5.45, >= 8.5.45, < 8.5.46, >= 8.5.46, < 8.5.47, >= 8.5.47, < 8.5.48, >= 8.5.48, < 8.5.49, >= 8.5.49, < 8.5.50, >= 8.5.50, < 8.5.51, >= 8.5.51, < 8.5.52, >= 8.5.52, < 8.5.53, >= 8.5.53, < 8.5.54, >= 8.5.54, < 8.5.55, >= 8.5.55, < 8.5.56, >= 8.5.56, < 8.5.57, >= 8.5.57, < 8.5.58, >= 9.0.0, < 9.0.38
• LOW3.7Apache Tomcat - AJP secret compared in non-constant time
  >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
• LOW3.7Apache Tomcat - Security constraint bypass with HTTP/0.9
  from 0, < 9.0.113, >= 10.1.0, < 10.1.50, >= 11.0.0, < 11.0.15
• LOW3.7tomcat9 - security update
  >= 8.5.0, < 8.5.78, >= 9.0.0, < 9.0.61, >= 10.0.0, < 10.0.19