Does this have a CVE score yet? Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu> (847) 467-6674 <tel:+18474676674>
On 3/10/25, 11:38 AM, "Mark Thomas" <ma...@apache.org <mailto:ma...@apache.org>> wrote: CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0.M1 to 9.0.98 Description: The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".". If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.3 or later - Upgrade to Apache Tomcat 10.1.35 or later - Upgrade to Apache Tomcat 9.0.99 or later Credit: Information disclosure/corruption: COSCO Shipping Lines DIC Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight <https://github.com/sw0rd1ight>) History: 2025-03-10 Original advisory References: [1] https://tomcat.apache.org/security-11.html <https://tomcat.apache.org/security-11.html> [2] https://tomcat.apache.org/security-10.html <https://tomcat.apache.org/security-10.html> [3] https://tomcat.apache.org/security-9.html <https://tomcat.apache.org/security-9.html> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org <mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org <mailto:users-h...@tomcat.apache.org>
