or information corruption with partial PUT

Christopher Schultz Wed, 12 Mar 2025 11:26:29 -0700

Darryl,

On 3/12/25 1:23 PM, Darryl Baker wrote:

For us the CVSS score is a way to determine how deeply to
investigate and more importantly to describe the criticality to
management in a way they understand.

If you haven't changed the default configuration for the DefaultServletfrom readonly="true" to readonly="false", then you have nothing to worryabout.


-chris

On 3/12/25, 9:21 AM, "Mark Thomas" <ma...@apache.org 
<mailto:ma...@apache.org>> wrote:


On 12/03/2025 14:01, Darryl Baker wrote:

Does this have a CVE score yet?



We don't provide CVSS scores as we don't believe they provide any value
(they are too subjective and don't allow for the individual
circumstances of any deployment). It is far too easy for a vulnerability
to score 0 for some users and 10 for others.


We provide the criteria that enables you to determine if you are exposed
and the possible consequences if you are. You then get to decide how
concerned you want to be.


Mark


Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu> 
<mailto:darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu>>
(847) 467-6674 <tel:+18474676674>




On 3/10/25, 11:38 AM, "Mark Thomas" <ma...@apache.org <mailto:ma...@apache.org> 
<mailto:ma...@apache.org <mailto:ma...@apache.org>>> wrote:


CVE-2025-24813 Potential RCE and/or information disclosure and/or
information corruption with partial PUT


Severity: Important


Vendor: The Apache Software Foundation


Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98


Description:
The original implementation of partial PUT used a temporary file based
on the user provided file name and path with the path separator replaced
by ".".


If all of the following were true, a malicious user was able to view
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
uploaded
- the security sensitive files also being uploaded via partial PUT


If all of the following were true, a malicious user was able to perform
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
the default storage location
- application included a library that may be leveraged in a
deserialization attack


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later


Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight 
<https://github.com/sw0rd1ight> <https://github.com/sw0rd1ight> 
<https://github.com/sw0rd1ight&gt;>)


History:
2025-03-10 Original advisory


References:
[1] https://tomcat.apache.org/security-11.html <https://tomcat.apache.org/security-11.html> 
<https://tomcat.apache.org/security-11.html> 
<https://tomcat.apache.org/security-11.html&gt;>
[2] https://tomcat.apache.org/security-10.html <https://tomcat.apache.org/security-10.html> 
<https://tomcat.apache.org/security-10.html> 
<https://tomcat.apache.org/security-10.html&gt;>
[3] https://tomcat.apache.org/security-9.html <https://tomcat.apache.org/security-9.html> 
<https://tomcat.apache.org/security-9.html> 
<https://tomcat.apache.org/security-9.html&gt;>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
<mailto:users-unsubscr...@tomcat.apache.org> <mailto:users-unsubscr...@tomcat.apache.org 
<mailto:users-unsubscr...@tomcat.apache.org>>
For additional commands, e-mail: users-h...@tomcat.apache.org 
<mailto:users-h...@tomcat.apache.org> <mailto:users-h...@tomcat.apache.org 
<mailto:users-h...@tomcat.apache.org>>






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: users-h...@tomcat.apache.org 
<mailto:users-h...@tomcat.apache.org>





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail: users-h...@tomcat.apache.org 
<mailto:users-h...@tomcat.apache.org>






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

Reply via email to