Skip to main content

Apache Tomcat 7.0.x Support

Common Vulnerabilities & Exposures (CVE)

First release: 2011-01-14
Support Lifecycle: Maintenance Support
Discontinued: 2021-03-31
Namespace: javax
CVEs: 55

What Versions do we cover?


7.0.6

7.0.8

7.0.10

7.0.11

7.0.12

7.0.14

7.0.16

7.0.19

7.0.20

7.0.21

7.0.22

7.0.23

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.30

7.0.32

7.0.33

7.0.34

7.0.35

7.0.37

7.0.39

7.0.40

7.0.41

7.0.42

7.0.47

7.0.50

7.0.52

7.0.53

7.0.54

7.0.55

7.0.56

7.0.57

7.0.59

7.0.61

7.0.62

7.0.63

7.0.64

7.0.65

7.0.67

7.0.68

7.0.69

7.0.70

7.0.72

7.0.73

7.0.75

7.0.76

7.0.77

7.0.78

7.0.79

7.0.81

7.0.82

7.0.84

7.0.85

7.0.86

7.0.88

7.0.90

7.0.91

7.0.92

7.0.93

7.0.94

7.0.96

7.0.99

7.0.100

7.0.103

7.0.104

7.0.105

7.0.106

7.0.107

7.0.108

7.0.109

Latest Apache Tomcat 7.0.x CVEs

CVE
Severity
Description
Category
Affected
CVE-2023-42795
2023-09-14
5.9
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
dataoperational
CWE-459
Details
CVE-2023-41080
2023-08-22
6.1
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
configurationdataoperational
CWE-601
Details
CVE-2023-28708
2023-03-21
6.5
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
dataoperational
CWE-523
Details
CVE-2021-30640
2021-04-13
4.8
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
data
Authentication weaknees
Details
CVE-2021-25329
2021-01-19
7.5
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
dataoperational
Remote code execution via session persistence
Details

Most Critical Apache Tomcat 7.0.x CVEs

CVE
Severity
Description
Category
Affected
CVE-2011-1184
2011-03-03
9.1
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.
functional
n/a
Details
CVE-2011-5062
2012-01-14
9.1
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.
datafunctional
n/a
Details
CVE-2019-0232
2018-11-14
8.8
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
configurationdata
Remote Code Execution
Details
CVE-2017-5664
2017-01-29
7.5
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
configurationdata
Security Constrainy Bypass
Details
CVE-2013-4590
2013-06-12
8.2
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
operational
n/a
Details

What We Deliver

Migration support

Production & Development support

1 hr response-time

Unlimited support incidents

5 languages supported

Fast bug fixes & security patch turnaround

Enterprise Support Details

Subscription Level
Bronze
Silver
Gold
Core Count
64 cores
120 cores
248 cores
Apache Tomcat
Apache TomEE
Apache ActiveMQ
Tribestream API Gateway
SLA
24x7
24x7
24x7
Response Time
1hr
1hr
1hr
Incidents
unlimited
unlimited
unlimited
CVE Patching
unlimited
unlimited
unlimited
Developer Questions
1 parallel
2 parallel
4 parallel
Admin Contacts
2
3
4
Phone, Email, Portal
Professional Services
3 days
5 days
10 days
Training
2 days
3 days
5 days
Feature Development
10 days
17 days
25 days