Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

2025-03-12 Thread Christopher Schultz
Darryl, On 3/12/25 1:23 PM, Darryl Baker wrote: For us the CVSS score is a way to determine how deeply to investigate and more importantly to describe the criticality to management in a way they understand. If you haven't changed the default configuration for the DefaultServlet from readonly="t

Re: Tomcat 9.0.98 Performance hits AWS 100% CPU

2025-03-12 Thread Christopher Schultz
Timothy, On 3/12/25 1:00 PM, Timothy Resh wrote: Thanks for your input on this issue. I have additional information on this. What would happen if the temp directory gets this size of 38000 Files and 1.6GB of data? Has anyone seen tomcat slow down because of temp directory size? I don't bel

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

2025-03-12 Thread Darryl Baker
For us the CVSS score is a way to determine how deeply to investigate and more importantly to describe the criticality to management in a way they understand. Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th F

Re: Tomcat 9.0.98 Performance hits AWS 100% CPU

2025-03-12 Thread Timothy Resh
Thanks for your input on this issue. I have additional information on this. What would happen if the temp directory gets this size of 38000 Files and 1.6GB of data? Has anyone seen tomcat slow down because of temp directory size? On Sun, Mar 9, 2025 at 1:01 PM Suvendu Sekhar Mondal wrote:

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

2025-03-12 Thread Mark Thomas
On 12/03/2025 14:01, Darryl Baker wrote: Does this have a CVE score yet? We don't provide CVSS scores as we don't believe they provide any value (they are too subjective and don't allow for the individual circumstances of any deployment). It is far too easy for a vulnerability to score 0 for

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

2025-03-12 Thread Darryl Baker
Does this have a CVE score yet? Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu (847) 46