pkg:Bitnami/tomcat

79 total CVEsCRITICAL12HIGH42MEDIUM22LOW3

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2025-24813⚠ KEVApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
    from 0, < 9.0.99, >= 10.0.0, < 10.1.35, >= 11.0.0, < 11.0.3
  • CRITICAL9.8CVE-2020-1938⚠ KEVImproper Privilege Management in Tomcat
    >= 7.0.0, < 7.0.100, >= 8.5.0, < 8.5.51, >= 9.0.0, < 9.0.31
  • MEDIUM5.3CVE-2023-44487⚠ KEVnghttp2 - security update
    >= 8.5.0, < 8.5.94, >= 9.0.0, < 9.0.81, >= 10.0.0, < 10.1.14
  • CRITICAL9.8CVE-2026-43512Apache Tomcat - Digest authenticator will authenticate any unknown user
    >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • CRITICAL9.8CVE-2026-41293Apache Tomcat - HTTP/2 request headers not validated
    >= 10.0.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • CRITICAL9.8CVE-2025-31651Apache Tomcat: Bypass of rules in Rewrite Valve
    from 0, < 9.0.104, >= 10.0.0, < 10.1.40, >= 11.0.0, < 11.0.6
  • CRITICAL9.8CVE-2024-56337Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete
    from 0, < 9.0.98, >= 10.0.0, < 10.1.34, >= 11.0.0, < 11.0.2
  • CRITICAL9.8CVE-2024-50379Apache Tomcat: RCE due to TOCTOU issue in JSP compilation
    >= 9.0.0, < 9.0.98, >= 10.0.0, < 10.1.34, >= 11.0.0, < 11.0.2
  • CRITICAL9.8CVE-2024-52316Apache Tomcat: Authentication bypass when using Jakarta Authentication API
    >= 9.0.0, < 9.0.96, >= 10.0.0, < 10.1.31
  • CRITICAL9.6CVE-2025-55754Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
    from 0, < 9.0.109, >= 10.0.0, < 10.1.45, >= 11.0.0, < 11.0.11
  • CRITICAL9.1CVE-2026-43515Apache Tomcat - Security constraints not correctly applied
    >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • CRITICAL9.1CVE-2026-29145Apache Tomcat: CLIENT_CERT authentication does not fail as expected
    from 0, < 8.5.98, >= 9.0.83, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20
  • CRITICAL9.1CVE-2025-66614Apache Tomcat: Client certificate verification bypass due to virtual host mapping
    >= 8.5.0, < 9.0.113, >= 10.1.0, < 10.1.50, >= 11.0.0, < 11.0.15
  • HIGH8.6CVE-2024-38286Apache Tomcat: Denial of Service
    >= 9.0.13, < 9.0.90, >= 10.0.0, < 10.1.25, >= 11.0.0, < 11.0.9
  • HIGH8.6CVE-2022-25762Response mix-up with WebSocket concurrent send and close
    >= 8.5.0, < 8.5.76, >= 9.0.0, < 9.0.21
  • HIGH8.4CVE-2025-49124Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows
    >= 9.0.23, < 9.0.107, >= 10.1.0, < 10.1.42, >= 11.0.0, < 11.0.9
  • HIGH7.8CVE-2020-8022Incorrect Default Permissions in Apache Tomcat
    from 0, < 9.0.35-3.57.3
  • HIGH7.5CVE-2026-41284Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
    >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • HIGH7.5CVE-2026-43513Apache Tomcat: LockOutRealm treats user names as case-sensitive
    >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • HIGH7.5CVE-2026-34487Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
    >= 9.0.13, < 9.0.117, >= 10.1.0, < 10.1.54, >= 11.0.0, < 11.0.21
  • HIGH7.5CVE-2026-34483Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
    >= 9.0.40, < 9.0.117, >= 10.1.0, < 10.1.54, >= 11.0.0, < 11.0.21
  • HIGH7.5CVE-2026-34486Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
    >= 9.0.116, < 9.0.117, >= 10.1.53, < 10.1.54, >= 11.0.20, < 11.0.21
  • HIGH7.5CVE-2026-29129Apache Tomcat: Configured cipher preference order not preserved
    >= 9.0.114, < 9.0.116, >= 10.1.51, < 10.1.53, >= 11.0.16, < 11.0.20
  • HIGH7.5CVE-2026-24880Apache Tomcat has an HTTP Request/Response Smuggling vulnerability
    from 0, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20
  • HIGH7.5CVE-2026-29146Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
    >= 7.0.100, < 9.0.116, >= 10.0.0, < 10.1.53, >= 11.0.0, < 11.0.19
  • HIGH7.5CVE-2026-24734Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass
    >= 9.0.83, < 9.0.115, >= 10.1.0, < 10.1.52, >= 11.0.0, < 11.0.18
  • HIGH7.5CVE-2025-55752Apache Tomcat Vulnerable to Relative Path Traversal
    from 0, < 9.0.109, >= 10.0.0, < 10.1.45, >= 11.0.0, < 11.0.11
  • HIGH7.5CVE-2025-48989Apache Tomcat Improper Resource Shutdown or Release vulnerability
    from 0, < 9.0.108, >= 10.0.0, < 10.1.44, >= 11.0.0, < 11.0.10
  • HIGH7.5CVE-2025-53506Apache Tomcat: DoS via excessive h2 streams at connection start
    from 0, < 9.0.107, >= 10.0.0, < 10.1.43, >= 11.0.0, < 11.0.9
  • HIGH7.5CVE-2025-52520Apache Tomcat: DoS via integer overflow in multipart file upload
    from 0, < 9.0.107, >= 10.0.0, < 10.1.43, >= 11.0.0, < 11.0.9
  • HIGH7.5CVE-2025-52434Apache Tomcat: APR/Native Connector crash leading to DoS
    >= 9.0.0, < 9.0.107
  • HIGH7.5CVE-2025-49125Apache Tomcat: Security constraint bypass for pre/post-resources
    from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
  • HIGH7.5CVE-2025-48988Apache Tomcat: FileUpload large number of parts with headers DoS
    from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
  • HIGH7.5CVE-2025-31650Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
    >= 9.0.76, < 9.0.104, >= 10.1.10, < 10.1.40, >= 11.0.0, < 11.0.6
  • HIGH7.5CVE-2024-34750Apache Tomcat: HTTP/2 excess header handling DoS
    >= 9.0.0, < 9.0.90, >= 10.0.0, < 10.1.25
  • HIGH7.5CVE-2024-24549Apache Tomcat: HTTP/2 header handling DoS
    >= 8.5.0, < 8.5.99, >= 9.0.0, < 9.0.86, >= 10.0.0, < 10.1.19
  • HIGH7.5CVE-2023-46589Apache Tomcat: HTTP request smuggling via malformed trailer headers
    >= 8.5.0, < 8.5.96, >= 9.0.0, < 9.0.83, >= 10.1.0, < 10.1.16
  • HIGH7.5CVE-2023-28709Apache Tomcat: Fix for CVE-2023-24998 is incomplete
    >= 8.5.85, <= 8.5.87, >= 9.0.71, <= 9.0.73, >= 10.1.5, <= 10.1.7
  • HIGH7.5CVE-2023-34981Apache Tomcat: AJP response header mix-up
    >= 8.5.88, < 8.5.89, >= 9.0.74, < 9.0.75, >= 10.1.8, < 10.1.9
  • HIGH7.5CVE-2022-45143Apache Tomcat: JsonErrorReportValve escaping
    >= 9.0.40, < 9.0.69, >= 8.5.83, < 8.5.84, >= 10.1.1, < 10.1.2
  • HIGH7.5CVE-2022-42252Apache Tomcat request smuggling via malformed content-length
    >= 8.5.0, < 8.5.83, >= 9.0.0, < 9.0.68, >= 10.0.0, < 10.0.27, >= 10.1.0, < 10.1.1
  • HIGH7.5CVE-2022-29885EncryptInterceptor does not provide complete protection on insecure networks
    >= 8.5.38, < 8.5.79, >= 9.0.13, < 9.0.63, >= 10.0.0, < 10.0.21
  • HIGH7.5CVE-2020-11996tomcat9 - security update
    >= 8.5.0, < 8.5.56, >= 9.0.0, < 9.0.36
  • HIGH7.5CVE-2020-17527Apache Tomcat: Request header mix-up between HTTP/2 streams
    >= 8.5.1, < 8.5.60, >= 9.0.1, < 9.0.40
  • HIGH7.5CVE-2020-13935Infinite Loop in Apache Tomcat
    >= 7.0.27, < 7.0.105, >= 8.5.0, < 8.5.57, >= 9.0.1, < 9.0.37
  • HIGH7.5CVE-2020-13934Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Tomcat
    >= 8.5.1, < 8.5.57, >= 9.0.1, < 9.0.37
  • HIGH7.5CVE-2021-42340DoS via memory leak with WebSocket connections
    >= 8.5.60, < 8.5.72, >= 9.0.40, < 9.0.54, >= 10.0.1, < 10.0.12
  • HIGH7.5CVE-2021-41079Apache Tomcat DoS with unexpected TLS packet
    >= 8.5.0, < 8.5.64, >= 9.0.0, < 9.0.44, >= 10.0.0, < 10.0.3
  • HIGH7.5CVE-2021-30639DoS after non-blocking IO error
    >= 8.5.64, < 8.5.65, >= 9.0.44, < 9.0.45, >= 10.0.3, < 10.0.4, >= 10.0.4, < 10.0.5
  • HIGH7.5CVE-2021-25122Apache Tomcat h2c request mix-up
    >= 8.5.0, < 8.5.62, >= 9.0.0, < 9.0.42, >= 10.0.0, < 10.0.1
  • HIGH7.3CVE-2026-42498Apache Tomcat - WebSocket authentication header exposure
    >= 10.0.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • HIGH7.3CVE-2025-46701Apache Tomcat: Security constraint bypass for CGI scripts
    from 0, < 9.0.105, >= 10.0.0, < 10.1.41, >= 11.0.0, < 11.0.7
  • HIGH7.0CVE-2022-23181Local privilege escalation with FileStore
    >= 8.5.55, < 8.5.74, >= 9.0.35, < 9.0.57, >= 10.0.1, < 10.0.15
  • HIGH7.0CVE-2021-25329Incomplete fix for CVE-2020-9484
    >= 7.0.0, < 7.0.108, >= 8.5.0, < 8.5.62, >= 9.0.0, < 9.0.42, >= 10.0.0, < 10.0.1
  • HIGH7.0CVE-2020-9484Potential remote code execution in Apache Tomcat
    >= 7.0.0, < 7.0.108, >= 8.5.0, < 8.5.63, >= 9.0.1, < 9.0.43
  • MEDIUM6.5CVE-2026-34500Apache Tomcat: CLIENT_CERT authentication does not fail as expected
    >= 9.0.92, < 9.0.117, >= 10.1.22, < 10.1.54, >= 11.0.0, < 11.0.21
  • MEDIUM6.5CVE-2025-55668Apache Tomcat: session fixation via rewrite valve
    from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
  • MEDIUM6.5CVE-2024-52317Apache Tomcat: Request/response mix-up with HTTP/2
    >= 9.0.92, < 9.0.96, >= 10.1.27, < 10.1.31, >= 11.0.0, < 11.0.9
  • MEDIUM6.5CVE-2021-30640Auth weakness in JNDIRealm
    >= 7.0.0, < 7.0.109, >= 8.5.0, < 8.5.66, >= 9.0.0, < 9.0.46, >= 10.0.0, < 10.0.6
  • MEDIUM6.3CVE-2024-23672Apache Tomcat: WebSocket DoS with incomplete closing handshake
    >= 8.5.0, < 8.5.99, >= 9.0.0, < 9.0.86, >= 10.0.0, < 10.1.19
  • MEDIUM6.1CVE-2026-25854Apache Tomcat has an Open Redirect vulnerability
    >= 8.5.30, < 9.0.116, >= 10.1.0, < 10.1.53, >= 11.0.0, < 11.0.20
  • MEDIUM6.1CVE-2024-52318Apache Tomcat: Incorrect JSP tag recycling leads to XSS
    >= 9.0.96, < 9.0.97, >= 10.1.31, < 10.1.33, >= 11.0.0, < 11.0.9
  • MEDIUM6.1CVE-2023-41080Apache Tomcat: Open redirect with FORM authentication
    >= 8.5.0, < 8.5.93, >= 9.0.0, < 9.0.80, >= 10.1.0, < 10.1.13
  • MEDIUM6.1CVE-2022-34305XSS in examples web application
    >= 8.5.50, < 8.5.82, >= 9.0.30, < 9.0.65, >= 10.0.0, < 10.0.23
  • MEDIUM5.9CVE-2023-42794Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows
    >= 8.5.85, < 8.5.94, >= 9.0.70, < 9.0.81
  • MEDIUM5.9CVE-2021-24122Apache Tomcat information disclosure
    >= 7.0.0, < 7.0.107, >= 8.5.0, < 8.5.60, >= 9.0.1, < 9.0.40
  • MEDIUM5.3CVE-2026-32990Apache Tomcat has an Improper Input Validation vulnerability
    >= 9.0.13, < 9.0.116, >= 10.1.50, < 10.1.53, >= 11.0.15, < 11.0.20
  • MEDIUM5.3CVE-2025-61795Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
    from 0, < 9.0.110, >= 10.0.0, < 10.1.47, >= 11.0.0, < 11.0.12
  • MEDIUM5.3CVE-2024-54677Apache Tomcat Uncontrolled Resource Consumption vulnerability
    >= 9.0.0, < 9.0.98, >= 10.0.0, < 10.1.34, >= 11.0.0, < 11.0.2
  • MEDIUM5.3CVE-2024-21733Apache Tomcat: Leaking of unrelated request bodies in default error page
    >= 8.5.7, < 8.5.98, >= 9.0.0, < 9.0.45
  • MEDIUM5.3CVE-2023-45648Apache Tomcat: Trailer header parsing too lenient
    >= 8.5.0, < 8.5.94, >= 9.0.1, < 9.0.81, >= 10.1.1, < 10.1.14
  • MEDIUM5.3CVE-2023-42795Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests
    >= 8.5.0, < 8.5.94, >= 9.0.1, < 9.0.81, >= 10.1.1, < 10.1.14
  • MEDIUM5.3CVE-2021-33037Incorrect Transfer-Encoding handling with HTTP/1.0
    >= 8.5.0, < 8.5.67, >= 9.0.0, < 9.0.47, >= 10.0.0, < 10.0.7
  • MEDIUM4.8CVE-2020-1935Potential HTTP request smuggling in Apache Tomcat
    >= 7.0.0, < 7.0.100, >= 8.5.0, < 8.5.51, >= 9.0.0, < 9.0.31
  • MEDIUM4.3CVE-2023-28708Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations
    >= 8.5.0, < 8.5.86, >= 9.0.0, < 9.0.72, >= 10.1.0, < 10.1.6
  • MEDIUM4.3CVE-2020-13943tomcat9 - security update
    >= 8.5.0, < 8.5.1, >= 8.5.1, < 8.5.2, >= 8.5.2, < 8.5.3, >= 8.5.3, < 8.5.4, >= 8.5.4, < 8.5.5, >= 8.5.5, < 8.5.6, >= 8.5.6, < 8.5.7, >= 8.5.7, < 8.5.8, >= 8.5.8, < 8.5.9, >= 8.5.9, < 8.5.10, >= 8.5.10, < 8.5.11, >= 8.5.11, < 8.5.12, >= 8.5.12, < 8.5.13, >= 8.5.13, < 8.5.14, >= 8.5.14, < 8.5.15, >= 8.5.15, < 8.5.16, >= 8.5.16, < 8.5.17, >= 8.5.17, < 8.5.18, >= 8.5.18, < 8.5.19, >= 8.5.19, < 8.5.20, >= 8.5.20, < 8.5.21, >= 8.5.21, < 8.5.22, >= 8.5.22, < 8.5.23, >= 8.5.23, < 8.5.24, >= 8.5.24, < 8.5.25, >= 8.5.25, < 8.5.26, >= 8.5.26, < 8.5.27, >= 8.5.27, < 8.5.28, >= 8.5.28, < 8.5.29, >= 8.5.29, < 8.5.30, >= 8.5.30, < 8.5.31, >= 8.5.31, < 8.5.32, >= 8.5.32, < 8.5.33, >= 8.5.33, < 8.5.34, >= 8.5.34, < 8.5.35, >= 8.5.35, < 8.5.36, >= 8.5.36, < 8.5.37, >= 8.5.37, < 8.5.38, >= 8.5.38, < 8.5.39, >= 8.5.39, < 8.5.40, >= 8.5.40, < 8.5.41, >= 8.5.41, < 8.5.42, >= 8.5.42, < 8.5.43, >= 8.5.43, < 8.5.44, >= 8.5.44, < 8.5.45, >= 8.5.45, < 8.5.46, >= 8.5.46, < 8.5.47, >= 8.5.47, < 8.5.48, >= 8.5.48, < 8.5.49, >= 8.5.49, < 8.5.50, >= 8.5.50, < 8.5.51, >= 8.5.51, < 8.5.52, >= 8.5.52, < 8.5.53, >= 8.5.53, < 8.5.54, >= 8.5.54, < 8.5.55, >= 8.5.55, < 8.5.56, >= 8.5.56, < 8.5.57, >= 8.5.57, < 8.5.58, >= 9.0.0, < 9.0.38
  • LOW3.7CVE-2026-43514Apache Tomcat - AJP secret compared in non-constant time
    >= 10.1.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
  • LOW3.7CVE-2026-24733Apache Tomcat: Security constraint bypass with HTTP/0.9
    from 0, < 9.0.113, >= 10.1.0, < 10.1.50, >= 11.0.0, < 11.0.15
  • LOW3.7CVE-2021-43980Apache Tomcat: Information disclosure
    >= 8.5.0, < 8.5.78, >= 9.0.0, < 9.0.61, >= 10.0.0, < 10.0.19