Tomcat — контейнер сервлетов с открытым исходным кодом
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 243
BDU:2025-08954
Уязвимость сервера приложений Apache Tomcat, связанная с ошибками синхронизации при использовании общего ресурса («Ситуация гонки»), позволяющая нарушителю вызвать отказ в обслуживании
GHSA-42wg-hm62-jcwg
Apache Tomcat installer for Windows has an untrusted search path vulnerability
GHSA-wc4r-xq3c-5cf3
Apache Tomcat - Security constraint bypass for pre/post-resources
GHSA-h3gc-qfqq-6h8f
Apache Tomcat - DoS in multipart upload
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability ...
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-49124
Untrusted Search Path vulnerability in Apache Tomcat installer for Win ...
CVE-2025-49124
Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in ...
CVE-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2025-08954 Уязвимость сервера приложений Apache Tomcat, связанная с ошибками синхронизации при использовании общего ресурса («Ситуация гонки»), позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 5.6 | 0% Низкий | 4 месяца назад |
| GHSA-42wg-hm62-jcwg Apache Tomcat installer for Windows has an untrusted search path vulnerability | 0% Низкий | 5 месяцев назад | |
| GHSA-wc4r-xq3c-5cf3 Apache Tomcat - Security constraint bypass for pre/post-resources | 0% Низкий | 5 месяцев назад | |
| GHSA-h3gc-qfqq-6h8f Apache Tomcat - DoS in multipart upload | CVSS3: 7.5 | 0% Низкий | 5 месяцев назад |
| CVE-2025-49125 Authentication Bypass Using an Alternate Path or Channel vulnerability ... | CVSS3: 7.5 | 0% Низкий | 5 месяцев назад |
 | CVE-2025-49125 Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | CVSS3: 7.5 | 0% Низкий | 5 месяцев назад |
| CVE-2025-49124 Untrusted Search Path vulnerability in Apache Tomcat installer for Win ... | CVSS3: 8.4 | 0% Низкий | 5 месяцев назад |
| CVE-2025-49124 Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | CVSS3: 8.4 | 0% Низкий | 5 месяцев назад |
| CVE-2025-48988 Allocation of Resources Without Limits or Throttling vulnerability in ... | CVSS3: 7.5 | 0% Низкий | 5 месяцев назад |
| CVE-2025-48988 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | CVSS3: 7.5 | 0% Низкий | 5 месяцев назад |
Уязвимостей на страницу