Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TencentOS Server 3: tomcat (TSSA-2025:0592)

🗓️ 20 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 6 Views

TencentOS Server 3 Tomcat TOCTOU and memory leak flaws fixed by patch

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
20 Dec 202421:30
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
19 Dec 202402:43
githubexploit
GithubExploit		Exploit for CVE-2025-55752
29 Oct 202508:27
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
23 Dec 202414:11
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
25 Dec 202418:42
githubexploit
GithubExploit		Exploit for Incomplete Cleanup in Apache Tomcat
2 Jul 202502:20
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
18 Dec 202419:53
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
30 Mar 202517:15
githubexploit
GithubExploit		Exploit for Incomplete Cleanup in Apache Tomcat
30 Apr 202511:10
githubexploit
GithubExploit		Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat
20 Dec 202405:24
githubexploit
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0592.
##

include('compat.inc');

if (description)
{
  script_id(275996);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");

  script_cve_id("CVE-2024-56337", "CVE-2025-31650");
  script_xref(name:"IAVA", value:"2024-A-0822-S");
  script_xref(name:"IAVA", value:"2025-A-0313-S");

  script_name(english:"TencentOS Server 3: tomcat (TSSA-2025:0592)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0592 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2024-56337:
    Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from
    9.0.0.M1 through 9.0.97.

    The mitigation for CVE-2024-50379 was incomplete.

    Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly
    initialisation
    parameter set to the non-default value of false) may need additional configuration to fully mitigate
    CVE-2024-50379 depending on which version of Java they are using with Tomcat:
    - running on Java 8 or Java 11: the system propertysun.io.useCanonCaches must be explicitly set to false
    (it defaults to true)
    - running on Java 17: thesystem property sun.io.useCanonCaches, if set, must be set to false(it
    defaults to false)
    - running on Java 21 onwards: no further configuration is required(the system property and the
    problematic cache have been removed)

    Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks thatsun.io.useCanonCaches is set
    appropriately before allowing the default servlet to be write enabled on a case insensitive file system.
    Tomcat will also setsun.io.useCanonCaches to false by default where it can.

    CVE-2025-31650:
    Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP
    priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A
    large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

    This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from
    11.0.0-M2 through 11.0.5.

    Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250592.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-31650");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2024-56337");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/12/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:tomcat");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'tomcat-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-admin-webapps-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-docs-webapp-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-el-3.0-api-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-jsp-2.3-api-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-lib-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-servlet-4.0-api-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'tomcat-webapps-9.0.87-1.tl3.4', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Nov 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.17.5 - 9.8
EPSS0.84587
SSVC
apache tomcattoctou vulnerabilitymemory leakupstream advisory 2025
6