Apache Tomcat^®

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 3.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that Tomcat 3 is no longer supported. Further vulnerabilities in the 3.x branches will not be fixed. Users should upgrade to 8.5.x or later to obtain security fixes.

Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

• Not fixed in Apache Tomcat 3.x
• Fixed in Apache Tomcat 3.3.2
• Fixed in Apache Tomcat 3.3.1a
• Fixed in Apache Tomcat 3.3.1
• Fixed in Apache Tomcat 3.3a
• Fixed in Apache Tomcat 3.2.4
• Fixed in Apache Tomcat 3.2.2
• Fixed in Apache Tomcat 3.2
• Fixed in Apache Tomcat 3.1

Important: Denial of service CVE-2005-0808

Tomcat 3.x can be remotely caused to crash or shutdown by a connection sending the right sequence of bytes to the AJP12 protocol port (TCP 8007 by default). Tomcat 3.x users are advised to ensure that this port is adequately firewalled to ensure it is not accessible to remote attackers. There are no plans to issue a an update to Tomcat 3.x for this issue.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.2

Low: Session hi-jacking CVE-2007-3382

Tomcat incorrectly treated a single quote character (') in a cookie value as a delimiter. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 3.3-3.3.2

Low: Cross site scripting CVE-2007-3384

When reporting error messages, Tomcat does not filter user supplied data before display. This enables an XSS attack. A source patch is available from the archives.

Affects: 3.3-3.3.2

Low: Session hi-jacking CVE-2007-3385

Tomcat incorrectly handled the character sequence \" in a cookie value. In some circumstances this lead to the leaking of information such as session ID to an attacker.

Affects: 3.3-3.3.2

Moderate: Cross site scripting CVE-2003-0044

The root web application and the examples web application contained a number a cross-site scripting vulnerabilities. Note that is it recommended that the examples web application is not installed on production servers.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1a

Important: Information disclosure CVE-2003-0043

When used with JDK 1.3.1 or earlier, web.xml files were read with trusted privileges enabling files outside of the web application to be read even when running under a security manager.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1

Important: Information disclosure CVE-2003-0042

URLs containing null characters could result in file contents being returned or a directory listing being returned even when a welcome file was defined.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1

Important: Denial of service CVE-2003-0045

JSP page names that match a Windows DOS device name, such as aux.jsp, may cause the thread processing the request to become unresponsive. A sequence of such requests may cause all request processing threads, and hence Tomcat, to become unresponsive.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a

Moderate: Information disclosure CVE-2002-2007

Non-standard requests to the sample applications installed by default could result in unexpected directory listings or disclosure of the full file system path for a JSP.

Affects: 3.2.3-3.2.4

Low: Information disclosure CVE-2002-2006, CVE-2000-0760

The snoop servlet installed as part of the examples includes output that identifies the Tomcat installation path. There are no plans to issue a an update to Tomcat 3.x for this issue.

Affects:3.1-3.1.1, 3.2-3.2.4

Moderate: Information disclosure CVE-2001-1563

No specifics are provided in the vulnerability report. This may be a summary of other issues reported against 3.2.x

Affects: 3.2?, 3.2.1, 3.2.2-3.2.3?

Moderate: Cross site scripting CVE-2001-0829

The default 404 error page does not escape URLs. This allows XSS attacks using specially crafted URLs.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1

Moderate: Information disclosure CVE-2001-0590

A specially crafted URL can be used to obtain the source for JSPs.

Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1

Low: Information disclosure CVE-2000-0759

Requesting a JSP that does not exist results in an error page that includes the full file system page of the current context.

Affects: 3.1

Important: Information disclosure CVE-2000-0672

Access to the admin context is not protected. This context allows an attacker to mount an arbitary file system path as a context. Any files accessible from this file sytem path to the account under which Tomcat is running are then visible to the attacker.

Affects: 3.1

Important: Information disclosure CVE-2000-1210

source.jsp, provided as part of the examples, allows an attacker to read arbitrary files via a .. (dot dot) in the argument to source.jsp.

Affects: 3.0