Описание
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
A flaw was found in Apache Tomcat. In certain conditions and configurations, this vulnerability allows a remote attacker to exploit a path equivalence flaw to view file system contents and add malicious content via a write-enabled Default Servlet in Apache Tomcat. For the vulnerability to be exploited, the following conditions must be true: writes to the default servlet are enabled (disabled by default), sensitive file uploads are sub-directories of a target URL for public uploads, attackers know the names of the files, and those files are subject to partial PUT uploads enabled by default. If an application uses file-based session persistence with default storage and includes exploitable libraries, remote code execution (RCE) is possible.
Отчет
This vulnerability has a Moderate impact (rather than Important) because it requires multiple non-default configurations to be exploitable, significantly limiting its impact in typical deployments. For remote code execution (RCE), exploitation requires both file-based session persistence and a library vulnerable to deserialization, further reducing its likelihood. For information disclosure or file injection, the attack is only possible if writes are enabled for the default servlet, partial PUT requests are supported, and sensitive file uploads occur within a publicly writable directory. The combination of all three of these conditions is uncommon in secure environments. Since most modern Tomcat deployments do not meet all these criteria simultaneously, the overall risk is reduced The Tomcat package as shipped in Red Hat Enterprise Linux 6 and 7 is not affected by this vulnerability because the vulnerable code was introduced in a newer Tomcat version. Red Hat Satellite is not directly impacted by this issue as it does not include the affected Tomcat package. However, Tomcat is consumed by Candlepin, a component of Satellite. Red Hat Satellite users are advised to check the impact state of Red Hat Enterprise Linux as any necessary fixes will be distributed through the platform. Satellite configuration does not contain affected parameters that would make Tomcat vulnerable, therefore, even if a vulnerable Tomcat version is shipped with affected RHEL release alongside Satellite, there is no chance of it being exposed to flaw in Red Hat Satellite.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | tomcat6 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Not affected | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Not affected | ||
| Red Hat Enterprise Linux 10 | tomcat9 | Fixed | RHSA-2025:7494 | 13.05.2025 |
| Red Hat Enterprise Linux 10 | tomcat | Fixed | RHSA-2025:7497 | 13.05.2025 |
| Red Hat Enterprise Linux 8 | tomcat | Fixed | RHSA-2025:3683 | 08.04.2025 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | tomcat | Fixed | RHSA-2025:3684 | 08.04.2025 |
| Red Hat Enterprise Linux 9 | tomcat | Fixed | RHSA-2025:3645 | 07.04.2025 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | tomcat | Fixed | RHSA-2025:3646 | 07.04.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by defaul...
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled
Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Exe ...
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
EPSS
8.6 High
CVSS3