csaf_redhat - rhsa-2025:23052

RHSA-2025:23052

Vulnerability from csaf_redhat - Published: 2025-12-10 14:44 - Updated: 2025-12-16 19:11

Summary

Red Hat Security Advisory: tomcat9 security update

Notes

Topic

An update for tomcat9 is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. Security Fix(es): * tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651) * tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for tomcat9 is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.  Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651)\n\n* tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:23052",
        "url": "https://access.redhat.com/errata/RHSA-2025:23052"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2362782",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362782"
      },
      {
        "category": "external",
        "summary": "2406591",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406591"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23052.json"
      }
    ],
    "title": "Red Hat Security Advisory: tomcat9 security update",
    "tracking": {
      "current_release_date": "2025-12-16T19:11:28+00:00",
      "generator": {
        "date": "2025-12-16T19:11:28+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.13"
        }
      },
      "id": "RHSA-2025:23052",
      "initial_release_date": "2025-12-10T14:44:53+00:00",
      "revision_history": [
        {
          "date": "2025-12-10T14:44:53+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-12-10T14:44:53+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-12-16T19:11:28+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 10)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 10)",
                  "product_id": "AppStream-10.1.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat9-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-admin-webapps@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-docs-webapp@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-el-3.0-api@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-jsp-2.3-api@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-lib@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-servlet-4.0-api@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch",
                "product": {
                  "name": "tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch",
                  "product_id": "tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9-webapps@9.0.87-8.el10_1.1?arch=noarch\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat9-1:9.0.87-8.el10_1.1.src",
                "product": {
                  "name": "tomcat9-1:9.0.87-8.el10_1.1.src",
                  "product_id": "tomcat9-1:9.0.87-8.el10_1.1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat9@9.0.87-8.el10_1.1?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-1:9.0.87-8.el10_1.1.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src"
        },
        "product_reference": "tomcat9-1:9.0.87-8.el10_1.1.src",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-lib-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
        },
        "product_reference": "tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch",
        "relates_to_product_reference": "AppStream-10.1.Z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-31651",
      "cwe": {
        "id": "CWE-150",
        "name": "Improper Neutralization of Escape, Meta, or Control Sequences"
      },
      "discovery_date": "2025-04-28T20:00:56.551028+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2362782"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache Tomcat\u0027s rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as Low severity because it only manifests under a narrow set of conditions involving uncommon and non-default rewrite rule configurations that rely on specific patterns in the raw requestURI, including path parameters. In most deployments, rewrite rules operate on decoded and normalized URIs or are used for non-security-critical purposes like routing. Furthermore, Tomcat\u2019s internal processing already normalizes and removes path parameters (;-delimited) before applying security constraints, meaning any bypass would only be feasible if the rewrite logic directly enforced security (which is a poor practice). The flaw does not allow direct code execution, data leakage, or privilege escalation unless the rewrite rule was explicitly misused as a substitute for proper access control. \n\nIts impact is further mitigated by the fact that rewrite rules are not typically relied upon for access enforcement. As such, while the bug may lead to incorrect rule evaluation under certain edge-case configurations, it does not represent a significant security risk in practice.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
          "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-31651"
        },
        {
          "category": "external",
          "summary": "RHBZ#2362782",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362782"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-31651",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-31651"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-31651",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31651"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/list.html?announce@tomcat.apache.org",
          "url": "https://lists.apache.org/list.html?announce@tomcat.apache.org"
        }
      ],
      "release_date": "2025-04-28T19:17:21.721000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-10T14:44:53+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
            "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23052"
        },
        {
          "category": "workaround",
          "details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
            "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
            "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve"
    },
    {
      "cve": "CVE-2025-55752",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "discovery_date": "2025-10-27T18:01:22.818037+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2406591"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If HTTP PUT requests are also enabled, this flaw could allow the upload of malicious files, potentially leading to remote code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as Important rather than Critical because successful exploitation depends on specific, non-default configuration conditions. The flaw only becomes exploitable when both URL rewriting rules that modify the request path are in use and HTTP PUT requests are enabled \u2014 a feature typically restricted to administrative or trusted users. In standard Tomcat deployments, PUT is disabled or tightly controlled, and rewrite configurations rarely expose sensitive paths. Therefore, while the issue could theoretically lead to remote code execution, the limited attack surface and requirement for uncommon setup conditions significantly reduce its overall risk level.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
          "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
          "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-55752"
        },
        {
          "category": "external",
          "summary": "RHBZ#2406591",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406591"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-55752",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-55752"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55752",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55752"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a",
          "url": "https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog",
          "url": "https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog"
        }
      ],
      "release_date": "2025-10-27T17:29:56.060000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-10T14:44:53+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
            "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:23052"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\n\nTo reduced the risk, by disabling or strictly limiting the use of HTTP PUT requests to trusted, authenticated users only. Additionally, administrators should review and adjust URL rewrite rules to ensure they do not manipulate request paths in ways that could expose protected directories such as /WEB-INF/ or /META-INF/. Implementing strict access controls and monitoring for unexpected rewrite or upload behavior can further minimize potential exploitation.",
          "product_ids": [
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
            "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-1:9.0.87-8.el10_1.1.src",
            "AppStream-10.1.Z:tomcat9-admin-webapps-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-docs-webapp-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-el-3.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-jsp-2.3-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-lib-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-servlet-4.0-api-1:9.0.87-8.el10_1.1.noarch",
            "AppStream-10.1.Z:tomcat9-webapps-1:9.0.87-8.el10_1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE"
    }
  ]
}

CVE-2025-31651 (GCVE-0-2025-31651)

Vulnerability from cvelistv5 – Published: 2025-04-28 19:17 – Updated: 2025-11-03 19:53

Title

Apache Tomcat: Bypass of rules in Rewrite Valve

Summary

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

URL

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.5 (semver) Affected: 10.1.0-M1 , ≤ 10.1.39 (semver) Affected: 9.0.0.M1 , ≤ 9.0.102 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Unknown: 8.0.0.RC1 , < 8.5.0 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)

CVE-2025-55752 (GCVE-0-2025-55752)

Vulnerability from cvelistv5 – Published: 2025-10-27 17:29 – Updated: 2025-11-10 21:38

Title

Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled

Summary

Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Severity ?

No CVSS data available.

CWE

CWE-23 - Relative Path Traversal

Assigner

apache

References

URL

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.10 (semver) Affected: 10.1.0-M1 , ≤ 10.1.44 (semver) Affected: 9.0.0.M11 , ≤ 9.0.108 (semver) Affected: 8.5.6 , ≤ 8.5.100 (semver) Unknown: 3 , < 8.5.0 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2025:23052

CVE-2025-31651 (GCVE-0-2025-31651)

CVE-2025-55752 (GCVE-0-2025-55752)

Tags

Sightings

Nomenclature