Apache Tomcat 漏洞列表

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. app="mod_jk"

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. fofa: port="8009" && protocol="ajp"

An Apache Tomcat Manager panel was discovered. app="APACHE-Tomcat"

Apache Tomcat versions 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, and 7.0.27 to 7.0.104 contain a vulnerability in the WebSocket module where the payload length of WebSocket frames is not correctly validated. This can lead to an infinite loop when processing frames with invalid payload lengths. Attackers can exploit this flaw by sending multiple malicious requests, resulting in a denial of service (DoS) on the affected Tomcat instance.

Apache Tomcat 4.x through 7.x contains a cross-site scripting vulnerability which an attacker can use to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site.

Apache Tomcat versions before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 are vulnerable to remote code execution if JmxRemoteLifecycleListener is used and the JMX ports are exposed to attackers. The vulnerability exists due to inconsistent credential type handling, which was not aligned with the CVE-2016-3427 Oracle patch. Attackers with access to JMX ports can exploit this issue to execute arbitrary code remotely.

Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 allows specially constructed requests to expose application functionality through the reverse proxy. It is also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.

Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Apache Tomcat 是一个开源的 Java Servlet 容器，广泛用于运行基于 Java 的 Web 应用程序。该漏洞（CVE-2025-24813）允许远程攻击者通过特定的恶意请求在目标系统上执行任意命令，从而完全控制受影响的服务器。

Apache Tomcat是美国阿帕奇（Apache）基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page（JSP）的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。

Apache Tomcat 在 JSP 编译期间存在 Time-of-check Time-of-use (TOCTOU) Race Condition 漏洞，当默认 Servlet 被启用以进行写操作时（非默认配置），在不区分大小写的文件系统上可能导致远程代码执行（RCE）。该问题影响的 Apache Tomcat 版本为：11.0.0-M1 到 11.0.1、10.1.0-M1 到 10.1.33、9.0.0.M1 到 9.0.97。注意：老版本 Tomcat 也会受到影响，但官方没有提及。该漏洞和 CVE-2024-50379 相似，官方初始漏洞修复方案不完善。

Apache Tomcat 在 JSP 编译期间存在 Time-of-check Time-of-use (TOCTOU) Race Condition 漏洞，当默认 Servlet 被启用以进行写操作时（非默认配置），在不区分大小写的文件系统上可能导致远程代码执行（RCE）。该问题影响的 Apache Tomcat 版本为：11.0.0-M1 到 11.0.1、10.1.0-M1 到 10.1.33、9.0.0.M1 到 9.0.97。

Apache Tomcat 资源分配控制不当漏洞 可致拒绝服务

Apache Tomcat存在请求走私漏洞，该漏洞是由于应用程序对chunck传输的异常数据缺乏验证导致的。

Apache Tomcat存在拒绝服务漏洞，此漏洞是由于对HTTP2的请求缺乏校验导致的。

Apache Tomcat存在重定向漏洞。此漏洞是由于对于接收的URL校验不充分导致的。

Apache Tomcat SSI printenv command存在跨站脚本漏洞，此漏洞是由于应用程序对用户输入没有进行充分校验导致的。

Apache Tomcat 资源分配控制不当漏洞

Apache Tomcat存在请求走私漏洞。

Apache Tomcat存在请求走私漏洞。

Apache Tomcat应用服务器存在拒绝服务漏洞，此漏洞是由于未正确限制HTTP请求中的Chunk Size导致的。

Apache Tomcat存在信息泄露漏洞，此漏洞是由于未充分验证用户输入的数据导致的。

Apache Tomcat中存在拒绝服务漏洞。该漏洞是由于参数过多时组件中的资源耗尽造成的。

Apache Tomcat存在XSS漏洞。

Apache Tomcat存在重定向漏洞。此漏洞是由于对于接收的URL校验不充分导致的。

Apache Tomcat 信息泄露漏洞

ApacheTomcat会开启AJP连接器,方便与其他Web服务器通过AJP协议进行交互。由于Tomcat本身也内含了HTTP服务器，因此也可以视作单独的Web服务器。此漏洞为文件包含漏洞,攻击者可利用该漏洞读取或包含Tomcat 上所有 webapp 目录下的任意文件。

【漏洞描述】 Apache Tomcat JK（mod_jk) 【涉及版本】1.2.0，1.2.4 【漏洞描述】 由于Apache TomcatWeb服务器(httpd)用于规范请求路径的代码，在匹配Apache TomcatJK(mod_jk)连接器中的URI-Worker映射之前，没有正确处理某些边缘情况（如过滤“；”）导致信息泄露。攻击者可利用该漏洞造成信息泄露。

Apache Tomcat是由Apache软件基金会属下Jakarta项目开发的Servlet容器。默认情况下，Apache Tomcat会开启AJP连接器，方便与其他Web服务器通过AJP协议进行交互。但Apache Tomcat在AJP协议的实现上存在漏洞，导致攻击者可以通过发送恶意的AJP请求，可以读取或者包含Web应用根目录下的任意文件，如果存在文件上传功能，将可以导致任意代码执行。漏洞利用AJP服务端口实现攻击，未开启AJP服务对外不受漏洞影响（tomcat默认将AJP服务开启并绑定至0.0.0.0）。长亭应急响应中心提醒 Apache Tomcat用户尽快排查AJP端口对外情况并采取安全措施阻止漏洞攻击。

在启用了enableCmdLineArguments的Windows上运行时，Apache Tomcat 9.0.0.M1到9.0.17,8.5.0到8.5.39和7.0.0到7.0.93中的CGI Servlet很容易受到远程执行代码的影响JRE将命令行参数传递给Windows的方式。

Apache Tomcat是一个流行的开源JSP应用服务器程序。

Apache Apache Tomcat是美国阿帕奇（Apache）软件基金会下属的Jakarta项目的一款轻量级Web应用服务器，它主要用于开发和调试JSP程序，适用于中小型系统。 Tomcat在AJP协议的实现上存在安全限制绕过漏洞。此漏洞源于Apache Tomcat错误处理了某些请求，可被利用注入任意AJP消息并泄露敏感信息或绕过身份验证机制。成功利用需要不使用org.apache.jk.server.JkCoyoteHandler AJP连接器，接受POST请求，不处理请求主体。远程攻击者可利用此漏洞绕过某些安全限制。