{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24813", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-01-24T08:51:50.296Z", "datePublished": "2025-03-10T16:44:03.715Z", "dateUpdated": "2025-03-21T18:03:51.853Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.2", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.34", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.98", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "COSCO Shipping Lines DIC"}, {"lang": "en", "type": "finder", "value": "sw0rd1ight (https://github.com/sw0rd1ight)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Path Equivalence: 'file.Name' (Internal Dot) leading to&nbsp;<span style=\"background-color: var(--wht);\">Remote Code Execution and/or Information disclosure&nbsp;</span><span style=\"background-color: var(--wht);\">and/or malicious content added to uploaded files via write enabled&nbsp;</span><span style=\"background-color: var(--wht);\">Default Servlet</span>&nbsp;in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.</p><div><p>If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:<br>-&nbsp;<span style=\"background-color: var(--wht);\">writes enabled for the default servlet (disabled by default)<br></span><span style=\"background-color: var(--wht);\">- support for partial PUT (enabled by default)<br></span><span style=\"background-color: var(--wht);\">- a target URL for security sensitive uploads that was a sub-directory of&nbsp;</span><span style=\"background-color: var(--wht);\">a target URL for public uploads<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">attacker knowledge of the names of security sensitive files being&nbsp;</span><span style=\"background-color: var(--wht);\">uploaded<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">the security sensitive files also being uploaded via partial PUT</span></p><p><span style=\"background-color: var(--wht);\">If all of the following were true, a malicious user was able to</span> perform remote code execution:<br><span style=\"background-color: var(--wht);\">- writes enabled for the default servlet (disabled by default)<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">support for partial PUT (enabled by default)<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">application was using Tomcat's file based session persistence with the&nbsp;</span><span style=\"background-color: var(--wht);\">default storage location<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">application included a library that may be leveraged in a&nbsp;</span><span style=\"background-color: var(--wht);\">deserialization attack</span></p><p><span style=\"background-color: var(--wht);\">Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.</span></p></div>"}], "value": "Path Equivalence: 'file.Name' (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat's file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-44", "description": "CWE-44 Path Equivalence: 'file.name' (Internal Dot)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-03-18T16:09:46.245Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"}, {"url": "https://security.netapp.com/advisory/ntap-20250321-0001/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-21T18:03:51.853Z"}}, {"references": [{"url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-19T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-24813"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T03:55:52.196Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"}, {"url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"}, {"url": "https://security.netapp.com/advisory/ntap-20250321-0001/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-21T18:03:51.853Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24813", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-17T15:28:23.469888Z"}}}], "references": [{"url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T17:14:18.378Z"}}], "cna": {"title": "Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "COSCO Shipping Lines DIC"}, {"lang": "en", "type": "finder", "value": "sw0rd1ight (https://github.com/sw0rd1ight)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.2"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.34"}, {"status": "affected", "version": "9.0.0.M1", "versionType": "semver", "lessThanOrEqual": "9.0.98"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Path Equivalence: 'file.Name' (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat's file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Path Equivalence: 'file.Name' (Internal Dot) leading to&nbsp;<span style=\"background-color: var(--wht);\">Remote Code Execution and/or Information disclosure&nbsp;</span><span style=\"background-color: var(--wht);\">and/or malicious content added to uploaded files via write enabled&nbsp;</span><span style=\"background-color: var(--wht);\">Default Servlet</span>&nbsp;in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.</p><div><p>If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:<br>-&nbsp;<span style=\"background-color: var(--wht);\">writes enabled for the default servlet (disabled by default)<br></span><span style=\"background-color: var(--wht);\">- support for partial PUT (enabled by default)<br></span><span style=\"background-color: var(--wht);\">- a target URL for security sensitive uploads that was a sub-directory of&nbsp;</span><span style=\"background-color: var(--wht);\">a target URL for public uploads<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">attacker knowledge of the names of security sensitive files being&nbsp;</span><span style=\"background-color: var(--wht);\">uploaded<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">the security sensitive files also being uploaded via partial PUT</span></p><p><span style=\"background-color: var(--wht);\">If all of the following were true, a malicious user was able to</span> perform remote code execution:<br><span style=\"background-color: var(--wht);\">- writes enabled for the default servlet (disabled by default)<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">support for partial PUT (enabled by default)<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">application was using Tomcat's file based session persistence with the&nbsp;</span><span style=\"background-color: var(--wht);\">default storage location<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">application included a library that may be leveraged in a&nbsp;</span><span style=\"background-color: var(--wht);\">deserialization attack</span></p><p><span style=\"background-color: var(--wht);\">Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.</span></p></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-44", "description": "CWE-44 Path Equivalence: 'file.name' (Internal Dot)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-03-18T16:09:46.245Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24813", "state": "PUBLISHED", "dateUpdated": "2025-03-21T18:03:51.853Z", "dateReserved": "2025-01-24T08:51:50.296Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-03-10T16:44:03.715Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "DAA3CD29-4D05-4F58-BE63-0A100C010AF0", "versionEndExcluding": "9.0.99", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "108D9F43-5A29-475E-9EE2-66CE8899B318", "versionEndExcluding": "10.1.35", "versionStartIncluding": "10.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7E3D41F-F7C8-4BAB-A80B-287FACB0F7E4", "versionEndExcluding": "11.0.3", "versionStartIncluding": "11.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "2DCE3576-86BC-4BB8-A5FB-1274744DFD7F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "5571F54A-2EAC-41B6-BDA9-7D33CFE97F70", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "ED30E850-C475-4133-BDE3-74CB3768D787", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "0092FB35-3B00-484F-A24D-7828396A4FF6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "CB557E88-FA9D-4B69-AA6F-EAEE7F9B01AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "ECBBC1F1-C86B-40AF-B740-A99F6B27682A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "9D2206B2-F3FF-43F2-B3E2-3CAAC64C691D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "0495A538-4102-40D0-A35C-0179CFD52A9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "77BA6600-0890-4BA1-B447-EC1746BAB4FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "7914D26B-CBD6-4846-9BD3-403708D69319", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "123C6285-03BE-49FC-B821-8BDB25D02863", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "8A28C2E2-B7BC-46CE-94E4-AE3EF172AA47", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "069B0D8E-8223-4C4E-A834-C6235D6C3450", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "E6282085-5716-4874-B0B0-180ECDEE128F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Path Equivalence: 'file.Name' (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat's file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue."}, {"lang": "es", "value": "Equivalencia de ruta: 'file.Name' (punto interno) que conduce a la ejecuci\u00f3n remota de c\u00f3digo y/o divulgaci\u00f3n de informaci\u00f3n y/o contenido malicioso agregado a los archivos cargados a trav\u00e9s del servlet predeterminado habilitado para escritura en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.2, desde 10.1.0-M1 hasta 10.1.34, desde 9.0.0.M1 hasta 9.0.98. Si todo lo siguiente fuera cierto, un usuario malintencionado podr\u00eda ver archivos sensibles de seguridad y/o inyectar contenido en esos archivos: - escrituras habilitadas para el servlet predeterminado (deshabilitado por defecto) - soporte para PUT parcial (habilitado por defecto) - una URL de destino para cargas sensibles de seguridad que era un subdirectorio de una URL de destino para cargas p\u00fablicas - conocimiento del atacante de los nombres de los archivos sensibles de seguridad que se estaban cargando - los archivos sensibles de seguridad tambi\u00e9n se estaban cargando a trav\u00e9s de PUT parcial Si todo lo siguiente fuera cierto, un usuario malintencionado podr\u00eda realizar una ejecuci\u00f3n remota de c\u00f3digo: - escrituras habilitadas para el servlet predeterminado (deshabilitado por defecto) - soporte para PUT parcial (habilitado por defecto) - la aplicaci\u00f3n estaba usando la persistencia de sesi\u00f3n basada en archivos de Tomcat con la ubicaci\u00f3n de almacenamiento predeterminada - la aplicaci\u00f3n inclu\u00eda una biblioteca que se puede aprovechar en un ataque de deserializaci\u00f3n Se recomienda a los usuarios actualizar a la versi\u00f3n 11.0.3, 10.1.35 o 9.0.98, que corrige el problema."}], "id": "CVE-2025-24813", "lastModified": "2025-03-21T18:15:34.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-10T17:15:35.067", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250321-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"], "url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-44"}, {"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-706"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT", "id": "2351129", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351129"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "(CWE-44|CWE-502)", "details": ["Path Equivalence: 'file.Name' (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat's file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.", "A flaw was found in Apache Tomcat. In certain conditions and configurations, this vulnerability allows a remote attacker to exploit a path equivalence flaw to view file system contents and add malicious content via a write-enabled\u00a0Default Servlet\u00a0in Apache Tomcat. \nFor the vulnerability to be exploited, the following conditions must be true: writes to the default servlet are enabled (disabled by default), sensitive file uploads are sub-directories of a target URL for public uploads, attackers know the names of the files, and those files are subject to partial PUT uploads enabled by default. If an application uses file-based session persistence with default storage and includes exploitable libraries, remote code execution (RCE) is possible."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-24813", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2025-03-10T16:44:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24813\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24813\nhttps://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"], "statement": "This vulnerability is marked as Moderate rather than Important because it requires multiple non-default configurations to be exploitable, significantly limiting its impact in typical deployments. Specifically, for information disclosure or file injection, the attack is only possible if writes are enabled for the default servlet, partial PUT requests are supported, and sensitive file uploads occur within a publicly writable directory\u2014conditions that are uncommon in secure environments. For remote code execution (RCE), exploitation requires both file-based session persistence and a deserialization-vulnerable library, further reducing its likelihood. Since most modern Tomcat deployments do not meet all these criteria simultaneously, the overall risk is lower than an \"Important\" classification would suggest.\nThe Tomcat package as shipped in Red Hat Enterprise Linux 6 and 7 is not affected by this vulnerability because the vulnerable code was introduced in a newer Tomcat version.\nRed Hat Satellite is not directed impacted by this issue as it does not include the affected Tomcat package. However, Tomcat is consumed by Candlepin, a component of Satellite. Red Hat Satellite users are advised to check the impact state of Red Hat Enterprise Linux as any necessary fixes will be distributed through the platform. Satellite configuration does not contain affected parameters that would make Tomcat vulnerable, therefore, even if a vulnerable Tomcat version is shipped with affected RHEL release alongside Satellite, there is no chance of it being exposed to flaw in Red Hat Satellite.", "threat_severity": "Moderate"}