RHSA-2025:22925
Vulnerability from csaf_redhat - Published: 2025-12-09 15:25 - Updated: 2025-12-10 17:45Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 5.8.6 release and security update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 5.8 on Red Hat Enterprise Linux versions 7, 8, and 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.8.6 serves as a replacement for Red Hat JBoss Web Server 5.8.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes that are linked to in the References section.
Security Fix(es):
* [Minor Incident] tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames [jws-5] (CVE-2025-48989)
* tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve [jws-5] (CVE-2025-31651)
* tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE [jws-5] (CVE-2025-55752)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Web Server 5.8 on Red Hat Enterprise Linux versions 7, 8, and 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.8.6 serves as a replacement for Red Hat JBoss Web Server 5.8.5. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes that are linked to in the References section.\n\nSecurity Fix(es):\n\n* [Minor Incident] tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames [jws-5] (CVE-2025-48989)\n* tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve [jws-5] (CVE-2025-31651)\n* tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE [jws-5] (CVE-2025-55752)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22925",
"url": "https://access.redhat.com/errata/RHSA-2025:22925"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_web_server/5.8/html/red_hat_jboss_web_server_5.8_service_pack_6_release_notes/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_web_server/5.8/html/red_hat_jboss_web_server_5.8_service_pack_6_release_notes/index"
},
{
"category": "external",
"summary": "2362782",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362782"
},
{
"category": "external",
"summary": "2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "2406591",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406591"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22925.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Server 5.8.6 release and security update",
"tracking": {
"current_release_date": "2025-12-10T17:45:23+00:00",
"generator": {
"date": "2025-12-10T17:45:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2025:22925",
"initial_release_date": "2025-12-09T15:25:26+00:00",
"revision_history": [
{
"date": "2025-12-09T15:25:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-09T15:25:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-10T17:45:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 5.8 for RHEL 8",
"product": {
"name": "Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 5.8 for RHEL 9",
"product": {
"name": "Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Server"
},
{
"branches": [
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"product": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"product_id": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.87-14.redhat_00013.1.el7jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"product": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"product_id": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.87-14.redhat_00013.1.el8jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"product": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"product_id": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.87-14.redhat_00013.1.el9jws?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-java-jdk11@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-java-jdk8@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_id": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.87-14.redhat_00013.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_id": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.87-14.redhat_00013.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product": {
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_id": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.87-14.redhat_00013.1.el9jws?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src"
},
"product_reference": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 7 Server",
"product_id": "7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src"
},
"product_reference": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 8",
"product_id": "8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src"
},
"product_reference": "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch as a component of Red Hat JBoss Web Server 5.8 for RHEL 9",
"product_id": "9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
},
"product_reference": "jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"relates_to_product_reference": "9Base-JWS-5.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-31651",
"cwe": {
"id": "CWE-150",
"name": "Improper Neutralization of Escape, Meta, or Control Sequences"
},
"discovery_date": "2025-04-28T20:00:56.551028+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2362782"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat\u0027s rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as Low severity because it only manifests under a narrow set of conditions involving uncommon and non-default rewrite rule configurations that rely on specific patterns in the raw requestURI, including path parameters. In most deployments, rewrite rules operate on decoded and normalized URIs or are used for non-security-critical purposes like routing. Furthermore, Tomcat\u2019s internal processing already normalizes and removes path parameters (;-delimited) before applying security constraints, meaning any bypass would only be feasible if the rewrite logic directly enforced security (which is a poor practice). The flaw does not allow direct code execution, data leakage, or privilege escalation unless the rewrite rule was explicitly misused as a substitute for proper access control. \n\nIts impact is further mitigated by the fact that rewrite rules are not typically relied upon for access enforcement. As such, while the bug may lead to incorrect rule evaluation under certain edge-case configurations, it does not represent a significant security risk in practice.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-31651"
},
{
"category": "external",
"summary": "RHBZ#2362782",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362782"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-31651",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-31651"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-31651",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31651"
},
{
"category": "external",
"summary": "https://lists.apache.org/list.html?announce@tomcat.apache.org",
"url": "https://lists.apache.org/list.html?announce@tomcat.apache.org"
}
],
"release_date": "2025-04-28T19:17:21.721000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T15:25:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22925"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-06-18T08:15:11.266000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373309"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48989"
},
{
"category": "external",
"summary": "RHBZ#2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48989"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T15:25:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22925"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames"
},
{
"cve": "CVE-2025-55752",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"discovery_date": "2025-10-27T18:01:22.818037+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2406591"
}
],
"notes": [
{
"category": "description",
"text": "A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If HTTP PUT requests are also enabled, this flaw could allow the upload of malicious files, potentially leading to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as Important rather than Critical because successful exploitation depends on specific, non-default configuration conditions. The flaw only becomes exploitable when both URL rewriting rules that modify the request path are in use and HTTP PUT requests are enabled \u2014 a feature typically restricted to administrative or trusted users. In standard Tomcat deployments, PUT is disabled or tightly controlled, and rewrite configurations rarely expose sensitive paths. Therefore, while the issue could theoretically lead to remote code execution, the limited attack surface and requirement for uncommon setup conditions significantly reduce its overall risk level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55752"
},
{
"category": "external",
"summary": "RHBZ#2406591",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406591"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55752"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55752",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55752"
},
{
"category": "external",
"summary": "https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a",
"url": "https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog",
"url": "https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog"
}
],
"release_date": "2025-10-27T17:29:56.060000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T15:25:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22925"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\n\nTo reduced the risk, by disabling or strictly limiting the use of HTTP PUT requests to trusted, authenticated users only. Additionally, administrators should review and adjust URL rewrite rules to ensure they do not manipulate request paths in ways that could expose protected directories such as /WEB-INF/ or /META-INF/. Implementing strict access controls and monitoring for unexpected rewrite or upload behavior can further minimize potential exploitation.",
"product_ids": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws.src",
"7Server-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk11-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-java-jdk8-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"7Server-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el7jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws.src",
"8Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"8Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el8jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws.src",
"9Base-JWS-5.8:jws5-tomcat-admin-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-docs-webapp-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-el-3.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-javadoc-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-jsp-2.3-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-lib-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-selinux-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-servlet-4.0-api-0:9.0.87-14.redhat_00013.1.el9jws.noarch",
"9Base-JWS-5.8:jws5-tomcat-webapps-0:9.0.87-14.redhat_00013.1.el9jws.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…