Vulnerability-Lookup

RHSA-2026:18537

Vulnerability from csaf_redhat - Published: 2026-05-19 09:22 - Updated: 2026-05-28 20:56

Summary

Red Hat Security Advisory: tomcat security update

Severity

Important

Notes

Topic: An update for tomcat is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): * tomcat: Apache Tomcat: Security constraint bypass for CGI scripts (CVE-2025-46701) * org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve (CVE-2025-55668) * org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation (CVE-2025-55754) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 10 Release Notes linked from the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-46701

A flaw was found in the CGI servlet component of Apache Tomcat. This vulnerability allows a security constraint bypass via improper handling of case sensitivity in the pathInfo component of a URI mapped to the CGI servlet.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-178 - Improper Handling of Case Sensitivity

Affected products

Fixed 9 products

Product	Version	Remediation
Unresolved product id: AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2025-55668

A session fixation vulnerability has been identified in Apache Tomcat, affecting its rewrite functionality. If the rewrite valve is enabled for a web application, an attacker can craft a specific URL. If a victim clicks on this malicious URL, their subsequent interaction with the resource will occur within the context of the attacker's session. This could allow an attacker to hijack the victim's session and perform actions on their behalf.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-384 - Session Fixation

Affected products

Fixed 9 products

Product	Version	Remediation
Unresolved product id: AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2025-55754

An improper input neutralization flaw has been discovered in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

Affected products

Fixed 9 products

Product	Version	Remediation
Unresolved product id: AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround
Unresolved product id: AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

27 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:18537	self
https://docs.redhat.com/en/documentation/red_hat_…	external
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=2369253	external
https://bugzilla.redhat.com/show_bug.cgi?id=2388226	external
https://bugzilla.redhat.com/show_bug.cgi?id=2406590	external
https://issues.redhat.com/browse/RHEL-150099	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2025-46701	self
https://bugzilla.redhat.com/show_bug.cgi?id=2369253	external
https://www.cve.org/CVERecord?id=CVE-2025-46701	external
https://nvd.nist.gov/vuln/detail/CVE-2025-46701	external
https://lists.apache.org/thread/xhqqk9w5q45srcdqh…	external
https://access.redhat.com/security/cve/CVE-2025-55668	self
https://bugzilla.redhat.com/show_bug.cgi?id=2388226	external
https://www.cve.org/CVERecord?id=CVE-2025-55668	external
https://nvd.nist.gov/vuln/detail/CVE-2025-55668	external
https://github.com/apache/tomcat/commit/8621e4c6b…	external
https://github.com/apache/tomcat/commit/90306d971…	external
https://github.com/apache/tomcat/commit/9c3673ba0…	external
https://lists.apache.org/thread/v6bknr96rl7l1qxkl…	external
https://access.redhat.com/security/cve/CVE-2025-55754	self
https://bugzilla.redhat.com/show_bug.cgi?id=2406590	external
https://www.cve.org/CVERecord?id=CVE-2025-55754	external
https://nvd.nist.gov/vuln/detail/CVE-2025-55754	external
https://github.com/apache/tomcat/commit/5a3db0929…	external
https://lists.apache.org/thread/j7w54hqbkfcn0xb9x…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for tomcat is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat: Security constraint bypass for CGI scripts (CVE-2025-46701)\n\n* org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve (CVE-2025-55668)\n\n* org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation (CVE-2025-55754)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 10 Release Notes linked from the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:18537",
        "url": "https://access.redhat.com/errata/RHSA-2026:18537"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.2_release_notes/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/10.2_release_notes/index"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2369253",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369253"
      },
      {
        "category": "external",
        "summary": "2388226",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388226"
      },
      {
        "category": "external",
        "summary": "2406590",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406590"
      },
      {
        "category": "external",
        "summary": "RHEL-150099",
        "url": "https://issues.redhat.com/browse/RHEL-150099"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_18537.json"
      }
    ],
    "title": "Red Hat Security Advisory: tomcat security update",
    "tracking": {
      "current_release_date": "2026-05-28T20:56:51+00:00",
      "generator": {
        "date": "2026-05-28T20:56:51+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.1"
        }
      },
      "id": "RHSA-2026:18537",
      "initial_release_date": "2026-05-19T09:22:51+00:00",
      "revision_history": [
        {
          "date": "2026-05-19T09:22:51+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-19T09:22:51+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-28T20:56:51+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 10)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 10)",
                  "product_id": "AppStream-10.2.GA",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-admin-webapps@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-docs-webapp@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-el-5.0-api@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-jsp-3.1-api@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-lib-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-lib-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-lib-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-lib@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-servlet-6.0-api@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat-webapps-1:10.1.49-1.el10.noarch",
                "product": {
                  "name": "tomcat-webapps-1:10.1.49-1.el10.noarch",
                  "product_id": "tomcat-webapps-1:10.1.49-1.el10.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat-webapps@10.1.49-1.el10?arch=noarch\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat-1:10.1.49-1.el10.src",
                "product": {
                  "name": "tomcat-1:10.1.49-1.el10.src",
                  "product_id": "tomcat-1:10.1.49-1.el10.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat@10.1.49-1.el10?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-1:10.1.49-1.el10.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src"
        },
        "product_reference": "tomcat-1:10.1.49-1.el10.src",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-admin-webapps-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-docs-webapp-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-el-5.0-api-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-lib-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-lib-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat-webapps-1:10.1.49-1.el10.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
        },
        "product_reference": "tomcat-webapps-1:10.1.49-1.el10.noarch",
        "relates_to_product_reference": "AppStream-10.2.GA"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-46701",
      "cwe": {
        "id": "CWE-178",
        "name": "Improper Handling of Case Sensitivity"
      },
      "discovery_date": "2025-05-29T20:00:51.512562+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2369253"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the CGI servlet component of Apache Tomcat. This vulnerability allows a security constraint bypass via improper handling of case sensitivity in the pathInfo component of a URI mapped to the CGI servlet.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: Apache Tomcat: Security constraint bypass for CGI scripts",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Moderate rather than Important due to several limiting technical factors that reduce its overall impact and exploitability. Firstly, the flaw only manifests on case-insensitive file systems (e.g., Windows NTFS or macOS HFS+), which are less common in production-grade Tomcat deployments, most of which run on case-sensitive Linux file systems. Secondly, the bypass only occurs when security constraints are defined specifically on the pathInfo portion of URLs mapped to the CGI servlet \u2014 a relatively uncommon and niche configuration in modern Tomcat-based applications, where URL-based access control tends to use more direct patterns or broader filters. Additionally, successful exploitation does not lead to remote code execution or denial of service, but rather circumvents access control under specific conditions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
          "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-46701"
        },
        {
          "category": "external",
          "summary": "RHBZ#2369253",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369253"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-46701",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-46701"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-46701",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46701"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j",
          "url": "https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j"
        }
      ],
      "release_date": "2025-05-29T19:06:04.289000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-19T09:22:51+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:18537"
        },
        {
          "category": "workaround",
          "details": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tomcat: Apache Tomcat: Security constraint bypass for CGI scripts"
    },
    {
      "cve": "CVE-2025-55668",
      "cwe": {
        "id": "CWE-384",
        "name": "Session Fixation"
      },
      "discovery_date": "2025-08-13T14:00:45.674371+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2388226"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A session fixation vulnerability has been identified in Apache Tomcat, affecting its rewrite functionality. If the rewrite valve is enabled for a web application, an attacker can craft a specific URL. If a victim clicks on this malicious URL, their subsequent interaction with the resource will occur within the context of the attacker\u0027s session. This could allow an attacker to hijack the victim\u0027s session and perform actions on their behalf.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
          "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-55668"
        },
        {
          "category": "external",
          "summary": "RHBZ#2388226",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388226"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-55668",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-55668"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55668",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55668"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/tomcat/commit/8621e4c6ba2c916a41eb34cb0f781171ead33fb6",
          "url": "https://github.com/apache/tomcat/commit/8621e4c6ba2c916a41eb34cb0f781171ead33fb6"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/tomcat/commit/90306d971bb8b8393336d893644124fb2ca11d21",
          "url": "https://github.com/apache/tomcat/commit/90306d971bb8b8393336d893644124fb2ca11d21"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/tomcat/commit/9c3673ba04009377cb0c81ccb6cf5078aec1aa95",
          "url": "https://github.com/apache/tomcat/commit/9c3673ba04009377cb0c81ccb6cf5078aec1aa95"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47",
          "url": "https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47"
        }
      ],
      "release_date": "2025-08-13T13:21:35.743000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-19T09:22:51+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:18537"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve"
    },
    {
      "cve": "CVE-2025-55754",
      "cwe": {
        "id": "CWE-150",
        "name": "Improper Neutralization of Escape, Meta, or Control Sequences"
      },
      "discovery_date": "2025-10-27T18:01:17.953987+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2406590"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An improper input neutralization flaw has been discovered in Apache Tomcat. \nTomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
          "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
          "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-55754"
        },
        {
          "category": "external",
          "summary": "RHBZ#2406590",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406590"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-55754",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-55754"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55754",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55754"
        },
        {
          "category": "external",
          "summary": "https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb",
          "url": "https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd",
          "url": "https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd"
        }
      ],
      "release_date": "2025-10-27T17:29:50.756000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-19T09:22:51+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:18537"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-1:10.1.49-1.el10.src",
            "AppStream-10.2.GA:tomcat-admin-webapps-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-docs-webapp-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-el-5.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-jsp-3.1-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-lib-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-servlet-6.0-api-1:10.1.49-1.el10.noarch",
            "AppStream-10.2.GA:tomcat-webapps-1:10.1.49-1.el10.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation"
    }
  ]
}

CVE-2025-46701 (GCVE-0-2025-46701)

Vulnerability from cvelistv5 – Published: 2025-05-29 19:06 – Updated: 2025-11-03 20:04

Title

Apache Tomcat: Security constraint bypass for CGI scripts

Summary

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Severity

No CVSS data available.

CWE

CWE-178 - Improper Handling of Case Sensitivity

Assigner

apache

References

1 reference

URL	Tags
https://lists.apache.org/thread/xhqqk9w5q45srcdqh…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.6 (semver) Affected: 10.1.0-M1 , ≤ 10.1.40 (semver) Affected: 9.0.0.M1 , ≤ 9.0.104 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Unknown: 3 , < 8.5.0 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)

Credits

Greg K (https://github.com/gregk4sec)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:04:34.067Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/29/4"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-46701",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T14:58:21.998219Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T14:58:31.063Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.6",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.40",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.104",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "unknown",
              "version": "3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "unknown",
              "version": "10.0.0-M1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Greg K (https://github.com/gregk4sec)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Handling of Case Sensitivity vulnerability in Apache Tomcat\u0027s GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Handling of Case Sensitivity vulnerability in Apache Tomcat\u0027s GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T11:46:02.476Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Security constraint bypass for CGI scripts",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-46701",
    "datePublished": "2025-05-29T19:06:04.289Z",
    "dateReserved": "2025-04-28T12:28:07.568Z",
    "dateUpdated": "2025-11-03T20:04:34.067Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-55668 (GCVE-0-2025-55668)

Vulnerability from cvelistv5 – Published: 2025-08-13 13:21 – Updated: 2025-11-04 21:13

Title

Apache Tomcat: session fixation via rewrite valve

Summary

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Severity

No CVSS data available.

CWE

CWE-384 - Session Fixation

Assigner

apache

References

1 reference

URL	Tags
https://lists.apache.org/thread/v6bknr96rl7l1qxkl…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.7 (semver) Affected: 10.1.0-M1 , ≤ 10.1.41 (semver) Affected: 9.0.0.M1 , ≤ 9.0.105 (semver) Unknown: 8 , < 9.0.0.M1 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)

Credits

Greg K (https://github.com/gregk4sec)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-55668",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T13:38:12.498649Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T13:39:26.761Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:09.014Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/13/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.7",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.41",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.105",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThan": "9.0.0.M1",
              "status": "unknown",
              "version": "8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "unknown",
              "version": "10.0.0-M1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Greg K (https://github.com/gregk4sec)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSession Fixation vulnerability in Apache Tomcat via rewrite valve.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\u003cbr\u003eOlder, EOL versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Session Fixation vulnerability in Apache Tomcat via rewrite valve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.\nOlder, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "CWE-384 Session Fixation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T11:39:30.355Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: session fixation via rewrite valve",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-55668",
    "datePublished": "2025-08-13T13:21:35.743Z",
    "dateReserved": "2025-08-13T12:16:36.881Z",
    "dateUpdated": "2025-11-04T21:13:09.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-55754 (GCVE-0-2025-55754)

Vulnerability from cvelistv5 – Published: 2025-10-27 17:29 – Updated: 2026-05-12 12:08

Title

Apache Tomcat: console manipulation via escape sequences in log messages

Summary

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Severity

No CVSS data available.

CWE

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

Assigner

apache

References

1 reference

URL	Tags
https://lists.apache.org/thread/j7w54hqbkfcn0xb9x…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.10 (semver) Affected: 10.1.0-M1 , ≤ 10.1.44 (semver) Affected: 9.0.40 , ≤ 9.0.108 (semver) Affected: 8.5.60 , ≤ 8.5.100 (semver) Unknown: 3 , < 8.5.0 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)

Credits

Elysee Franchuk of MOBIA Technology Innovations

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-55754",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T04:55:55.372090Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:57:04.342Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:16.888Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/27/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:08:28.428Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.10",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.44",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.108",
              "status": "affected",
              "version": "9.0.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.60",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "unknown",
              "version": "3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "unknown",
              "version": "10.0.0-M1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Elysee Franchuk of MOBIA Technology Innovations"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eTomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\u003c/p\u003e\u003c/div\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\u003c/p\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\n\nTomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T11:38:25.256Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: console manipulation via escape sequences in log messages",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-55754",
    "datePublished": "2025-10-27T17:29:50.756Z",
    "dateReserved": "2025-08-15T11:26:40.520Z",
    "dateUpdated": "2026-05-12T12:08:28.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:18537

CVE-2025-46701 (GCVE-0-2025-46701)

CVE-2025-55668 (GCVE-0-2025-55668)

CVE-2025-55754 (GCVE-0-2025-55754)

Tags

Sightings

Nomenclature