For us the CVSS score is a way to determine how deeply to investigate and more importantly to describe the criticality to management in a way they understand.
Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu> (847) 467-6674 <tel:+18474676674> On 3/12/25, 9:21 AM, "Mark Thomas" <ma...@apache.org <mailto:ma...@apache.org>> wrote: On 12/03/2025 14:01, Darryl Baker wrote: > Does this have a CVE score yet? We don't provide CVSS scores as we don't believe they provide any value (they are too subjective and don't allow for the individual circumstances of any deployment). It is far too easy for a vulnerability to score 0 for some users and 10 for others. We provide the criteria that enables you to determine if you are exposed and the possible consequences if you are. You then get to decide how concerned you want to be. Mark > > Darryl Baker, GSEC, GCLD (he/him/his) > Sr. System Administrator > Distributed Application Platform Services > Northwestern University > 4th Floor > 2020 Ridge Avenue > Evanston, IL 60208-0801 > darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu> > <mailto:darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu>> > (847) 467-6674 <tel:+18474676674> > > > > > On 3/10/25, 11:38 AM, "Mark Thomas" <ma...@apache.org > <mailto:ma...@apache.org> <mailto:ma...@apache.org > <mailto:ma...@apache.org>>> wrote: > > > CVE-2025-24813 Potential RCE and/or information disclosure and/or > information corruption with partial PUT > > > Severity: Important > > > Vendor: The Apache Software Foundation > > > Versions Affected: > Apache Tomcat 11.0.0-M1 to 11.0.2 > Apache Tomcat 10.1.0-M1 to 10.1.34 > Apache Tomcat 9.0.0.M1 to 9.0.98 > > > Description: > The original implementation of partial PUT used a temporary file based > on the user provided file name and path with the path separator replaced > by ".". > > > If all of the following were true, a malicious user was able to view > security sensitive files and/or inject content into those files: > - writes enabled for the default servlet (disabled by default) > - support for partial PUT (enabled by default) > - a target URL for security sensitive uploads that was a sub-directory > of a target URL for public uploads > - attacker knowledge of the names of security sensitive files being > uploaded > - the security sensitive files also being uploaded via partial PUT > > > If all of the following were true, a malicious user was able to perform > remote code execution: > - writes enabled for the default servlet (disabled by default) > - support for partial PUT (enabled by default) > - application was using Tomcat's file based session persistence with > the default storage location > - application included a library that may be leveraged in a > deserialization attack > > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 11.0.3 or later > - Upgrade to Apache Tomcat 10.1.35 or later > - Upgrade to Apache Tomcat 9.0.99 or later > > > Credit: > Information disclosure/corruption: COSCO Shipping Lines DIC > Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight > <https://github.com/sw0rd1ight> <https://github.com/sw0rd1ight> > <https://github.com/sw0rd1ight>>) > > > History: > 2025-03-10 Original advisory > > > References: > [1] https://tomcat.apache.org/security-11.html > <https://tomcat.apache.org/security-11.html> > <https://tomcat.apache.org/security-11.html> > <https://tomcat.apache.org/security-11.html>> > [2] https://tomcat.apache.org/security-10.html > <https://tomcat.apache.org/security-10.html> > <https://tomcat.apache.org/security-10.html> > <https://tomcat.apache.org/security-10.html>> > [3] https://tomcat.apache.org/security-9.html > <https://tomcat.apache.org/security-9.html> > <https://tomcat.apache.org/security-9.html> > <https://tomcat.apache.org/security-9.html>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> > <mailto:users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org>> > For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org> <mailto:users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org>> > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > <mailto:users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > <mailto:users-h...@tomcat.apache.org> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org <mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org <mailto:users-h...@tomcat.apache.org>
