Apache Tomcat
Apache Tomcat is the servlet container and reference implementation for Jakarta Servlet. It is embedded in many Java stacks and ships behind reverse proxies in production. NVD records Tomcat under the single application CPE apache:tomcat. Vulnerabilities often depend on which connectors and optional components are enabled (AJP, CGI, HTTP/2), which the aggregated risk state summarizes across matching CVE ranges for the version you pass in.
Querying Apache Tomcat
tomcat9.0.30, 10.1.34, 8.5.100curl "https://api.attestd.io/v1/check?product=tomcat&version=9.0.30" \
-H "Authorization: Bearer $ATTESTD_KEY"Tomcat 9.0.30 is affected by CVE-2020-1938 (Ghostcat), a flaw in the AJP connector when it is exposed. The issue was widely exploited and appears on the CISA KEV catalog, so a live response may show risk_state: "critical" and actively_exploited: true. Live responses often list many more CVE IDs and a higher aggregate fixed_version (e.g. 9.0.99 for 9.0.30) than a single-advisory minimum patch. Your exact JSON depends on the latest synthesis run.
{
"product": "tomcat",
"version": "9.0.30",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"patch_available"
],
"actively_exploited": true,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "9.0.99",
"confidence": 0.92,
"cve_ids": ["CVE-2020-1938", "CVE-2024-50379"],
"last_updated": "2026-02-23T18:21:30Z"
}A newer major line is not automatically risk_state: "none"— NVD often adds wide ranges. On a recent dev snapshot, 10.1.40 still returned high with an aggregate fixed_version of 10.1.42. Always re-check after ingestion and prefer the latest ASF release for your line.
curl "https://api.attestd.io/v1/check?product=tomcat&version=10.1.40" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
Tomcat advisories cluster around protocol connectors (AJP, HTTP/2), the default and CGI servlets, and TLS integration. Many issues only apply when a non-default feature is enabled, but NVD ranges still cover the affected version lines.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2020-1938 | Ghostcat: mishandling of AJP requests allows file read from the host and was chained to RCE in several public exploits. Requires an exposed AJP connector (port 8009 by default). | 9.0.0 to 9.0.30, 8.5.0 to 8.5.50, 7.0.0 to 7.0.99 | 9.8 |
CVE-2019-0232 | On Windows, the CGI servlet forwards command-line arguments from the JRE to the CGI program incorrectly, allowing argument injection and remote code execution when CGI is enabled. | 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93 | 9.8 |
CVE-2022-29885 | TLS hostname verification for OpenSSL-based TLS handshakes did not validate the peer hostname correctly in certain configurations, weakening certificate identity checks for client or reverse-proxy TLS. | 10.1.0-M1 to 10.1.6, 9.0.56 to 9.0.62 | 7.5 |
CVE-2023-45648 | HTTP/2 request mix-up: HTTP/2 connection reuse and stream handling errors could associate the wrong response body with a client request under load or specific sequences. | 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.80, 10.1.0-M1 to 10.1.13 | 7.5 |
CVE-2024-50379 | Default servlet: race condition when serving static resources on case-insensitive file systems could allow unintended write or execution paths in constrained deployments. | 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.35, 9.0.0-M11 to 9.0.97 | 8.8 |
NVD CPE
Attestd filters CVE configurations against the Apache Tomcat application CPE below. Unlike nginx or Redis, Tomcat does not currently require a second vendor namespace in our registry.
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*