Severity: moderate
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.7
- Apache Tomcat 10.1.0-M1 through 10.1.41
- Apache Tomcat 9.0.0.M1 through 9.0.105
Description:
Authentication Bypass Using an Alternate Path or Channel vulnerability
in Apache Tomcat. When using PreResources or PostResources mounted
other than at the root of the web application, it was possible to access
those resources via an unexpected path. That path was likely not to be
protected by the same security constraints as the expected path,
allowing those security constraints to be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from
10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,
which fix the issue.
Credit:
Greg K (https://github.com/gregk4sec) (finder)
References:
https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-49125
