{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24813", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-01-24T08:51:50.296Z", "datePublished": "2025-03-10T16:44:03.715Z", "dateUpdated": "2025-03-10T19:02:31.096Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.2", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.34", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.98", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "COSCO Shipping Lines DIC"}, {"lang": "en", "type": "finder", "value": "sw0rd1ight (https://github.com/sw0rd1ight)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Path Equivalence: 'file.Name' (Internal Dot) leading to&nbsp;<span style=\"background-color: var(--wht);\">Remote Code Execution and/or Information disclosure&nbsp;</span><span style=\"background-color: var(--wht);\">and/or malicious content added to uploaded files via write enabled&nbsp;</span><span style=\"background-color: var(--wht);\">Default Servlet</span>&nbsp;in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.</p><div><p>If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:<br>-&nbsp;<span style=\"background-color: var(--wht);\">writes enabled for the default servlet (disabled by default)<br></span><span style=\"background-color: var(--wht);\">- support for partial PUT (enabled by default)<br></span><span style=\"background-color: var(--wht);\">- a target URL for security sensitive uploads that was a sub-directory of&nbsp;</span><span style=\"background-color: var(--wht);\">a target URL for public uploads<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">attacker knowledge of the names of security sensitive files being&nbsp;</span><span style=\"background-color: var(--wht);\">uploaded<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">the security sensitive files also being uploaded via partial PUT</span></p><p><span style=\"background-color: var(--wht);\">If all of the following were true, a malicious user was able to</span> perform remote code execution:<br><span style=\"background-color: var(--wht);\">- writes enabled for the default servlet (disabled by default)<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">support for partial PUT (enabled by default)<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">application was using Tomcat's file based session persistence with the&nbsp;</span><span style=\"background-color: var(--wht);\">default storage location<br>-&nbsp;</span><span style=\"background-color: var(--wht);\">application included a library that may be leveraged in a&nbsp;</span><span style=\"background-color: var(--wht);\">deserialization attack</span></p><p><span style=\"background-color: var(--wht);\">Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.</span></p></div>"}], "value": "Path Equivalence: 'file.Name' (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat's file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-44", "description": "CWE-44 Path Equivalence: 'file.name' (Internal Dot)", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-03-10T16:44:03.715Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-10T19:02:31.096Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Path Equivalence: 'file.Name' (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat's file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue."}], "id": "CVE-2025-24813", "lastModified": "2025-03-10T19:15:40.123", "metrics": {}, "published": "2025-03-10T17:15:35.067", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-44"}, {"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT", "id": "2351129", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351129"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "(CWE-44|CWE-502)", "details": ["A flaw was found in Apache Tomcat. In certain conditions/configurations, this vulnerability allows a remote attacker to exploit a path equivalence flaw to view file system contents and/or add malicious content via a write-enabled\u00a0Default Servlet\u00a0in Apache Tomcat. \nFor the vulnerability to be exploited, the following conditions must be true: writes to the default servlet are enabled (disabled by default), sensitive file uploads are sub-directories of a target URL for public uploads, attackers know the names of the files, and those files are subject to partial PUT uploads (enabled by default). If an application uses file-based session persistence with default storage and includes exploitable libraries, remote code execution (RCE) is possible."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-24813", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-10T16:44:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24813\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24813\nhttps://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"], "statement": "This vulnerability is marked as Important rather than Moderate because it has the potential for Remote Code Execution (RCE), information disclosure, and file corruption under certain conditions. While the exploitation requires specific configurations\u2014such as partial PUT being enabled and writable default servlet\u2014these settings are not uncommon in real-world deployments. The ability to manipulate file storage paths and potentially inject malicious content into sensitive files increases the attack surface significantly. Furthermore, the possibility of leveraging Tomcat's file-based session persistence for deserialization attacks, leading to RCE, elevates the risk level, as it could allow an attacker to execute arbitrary code on the server.", "threat_severity": "Important"}