On 12/03/2025 14:01, Darryl Baker wrote:
Does this have a CVE score yet?
We don't provide CVSS scores as we don't believe they provide any value (they are too subjective and don't allow for the individual circumstances of any deployment). It is far too easy for a vulnerability to score 0 for some users and 10 for others.
We provide the criteria that enables you to determine if you are exposed and the possible consequences if you are. You then get to decide how concerned you want to be.
Mark
Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu> (847) 467-6674 <tel:+18474676674> On 3/10/25, 11:38 AM, "Mark Thomas" <ma...@apache.org <mailto:ma...@apache.org>> wrote: CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0.M1 to 9.0.98 Description: The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".". If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.3 or later - Upgrade to Apache Tomcat 10.1.35 or later - Upgrade to Apache Tomcat 9.0.99 or later Credit: Information disclosure/corruption: COSCO Shipping Lines DIC Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight <https://github.com/sw0rd1ight>) History: 2025-03-10 Original advisory References: [1] https://tomcat.apache.org/security-11.html <https://tomcat.apache.org/security-11.html> [2] https://tomcat.apache.org/security-10.html <https://tomcat.apache.org/security-10.html> [3] https://tomcat.apache.org/security-9.html <https://tomcat.apache.org/security-9.html> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org <mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org <mailto:users-h...@tomcat.apache.org> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
