Apache Tomcat 10.1.0.M1 < 10.1.50 multiple vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(299401);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id("CVE-2025-66614", "CVE-2026-24733");
  script_xref(name:"IAVA", value:"2026-A-0175-S");

  script_name(english:"Apache Tomcat 10.1.0.M1 < 10.1.50 multiple vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Tomcat installed on the remote host is prior to 10.1.50. It is, therefore, affected by multiple
vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.50_security-10 advisory.

  - Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14,
    from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time
    the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not
    affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the
    host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host
    and the TLS configuration for one of those hosts did not require client certificate authentication but
    another one did, it was possible for a client to bypass the client certificate authentication by sending
    different host names in the SNI extension and the HTTP host header field. The vulnerability only applies
    if client certificate authentication is only enforced at the Connector. It does not apply if client
    certificate authentication is enforced at the web application. Users are recommended to upgrade to version
    11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue. (CVE-2025-66614)

  - Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the
    GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests,
    the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request
    using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through
    10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to
    upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
    (CVE-2026-24733)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/apache/tomcat/commit/711b465cf22684a1acf0cb43501cdbbce9b6c5f4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ebbd4aa8");
  # https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7db58c72");
  # https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ad95086");
  # https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.50
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?53f7bcbe");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Tomcat version 10.1.50 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-66614");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat:10");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Tomcat");

  exit(0);
}

include('vcf_extras.inc');

vcf::tomcat::initialize();
var app_info = vcf::combined_get_app_info(app:'Apache Tomcat');

var constraints = [
  { 'min_version' : '10.1.0.M1', 'max_version' : '10.1.49', 'fixed_version' : '10.1.50' }
];

vcf::check_all_backporting(app_info:app_info);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);