Apache Tomcat 9.0.0.M1 < 9.0.113 multiple vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(299397);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id("CVE-2025-66614", "CVE-2026-24733");
  script_xref(name:"IAVA", value:"2026-A-0175-S");

  script_name(english:"Apache Tomcat 9.0.0.M1 < 9.0.113 multiple vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Tomcat installed on the remote host is prior to 9.0.113. It is, therefore, affected by multiple
vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.113_security-9 advisory.

  - Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14,
    from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time
    the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not
    affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the
    host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host
    and the TLS configuration for one of those hosts did not require client certificate authentication but
    another one did, it was possible for a client to bypass the client certificate authentication by sending
    different host names in the SNI extension and the HTTP host header field. The vulnerability only applies
    if client certificate authentication is only enforced at the Connector. It does not apply if client
    certificate authentication is enforced at the web application. Users are recommended to upgrade to version
    11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue. (CVE-2025-66614)

  - Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the
    GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests,
    the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request
    using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through
    10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to
    upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
    (CVE-2026-24733)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/apache/tomcat/commit/2e2fa23f2635bbb819759576a2f2f5e64ecf7c5f
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f9c01708");
  # https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3f93506f");
  # https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8585325");
  # https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?19caa18e");
  # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.113
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ec0f11f1");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Tomcat version 9.0.113 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-66614");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat:9");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Tomcat");

  exit(0);
}

include('vcf_extras.inc');

vcf::tomcat::initialize();
var app_info = vcf::combined_get_app_info(app:'Apache Tomcat');

var constraints = [
  { 'min_version' : '9.0.0.M1', 'max_version' : '9.0.112', 'fixed_version' : '9.0.113' }
];

vcf::check_all_backporting(app_info:app_info);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);