Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-49125

Опубликовано: 16 июн. 2025
Источник: nvd
CVSS3: 7.5
EPSS Низкий

Описание

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 9.0.0 (включая) до 9.0.106 (исключая)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 10.1.0 (включая) до 10.1.42 (исключая)
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Версия от 11.0.0 (включая) до 11.0.8 (исключая)

EPSS

Процентиль: 15%
0.00049
Низкий

7.5 High

CVSS3

Дефекты

CWE-288

Связанные уязвимости

ubuntu логотип

CVE-2025-49125

CVSS3: 7.5
ubuntu
около 2 месяцев назад

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

redhat логотип

CVE-2025-49125

CVSS3: 3.7
redhat
около 2 месяцев назад

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

debian логотип

CVE-2025-49125

CVSS3: 7.5
debian
около 2 месяцев назад

Authentication Bypass Using an Alternate Path or Channel vulnerability ...

github логотип

GHSA-wc4r-xq3c-5cf3

github
около 2 месяцев назад

Apache Tomcat - Security constraint bypass for pre/post-resources

suse-cvrf логотип

SUSE-SU-2025:02280-1

suse-cvrf
24 дня назад

Security update for tomcat

EPSS

Процентиль: 15%
0.00049
Низкий

7.5 High

CVSS3

Дефекты

CWE-288