Lucene search
+L

Apache Tomcat CGI Security Constraint Bypass Vulnerability (May 2025) - Windows

🗓️ 30 May 2025 00:00:00Reported by Copyright (C) 2025 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 21 Views

Apache Tomcat has a CGI security constraint bypass vulnerability affecting multiple versions.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ibm
Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench
30 Oct 202520:15
ibm
ibm
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Handling of Case Sensitivity in Apache Tomcat [CVE-2025-46701]
28 Aug 202517:11
ibm
ibm
Security Bulletin: Vulnerability in Apache Tomcat affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
25 Sep 202511:51
ibm
ibm
Security Bulletin: Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint, which affects IBM watsonx.data
1 Sep 202514:50
ibm
ibm
Security Bulletin: Due to the use of Apache Tomcat, IBM ApplinX is vulnerable to multiple vulnerabilities.
15 Jul 202509:29
ibm
ibm
Security Bulletin: Vulnerabilities in Apache Tomcat Server (CVE-2025-52434, CVE-2025-48989, CVE-2025-52520, CVE-2025-53506, CVE-2025-55668, CVE-2025-49125, CVE-2025-48988, CVE-2025-46701, CVE-2025-31651, CVE-2025-31650) affect Power HMC.
20 Nov 202506:10
ibm
ibm
Security Bulletin: IBM Watson Discovery Catridge affected by vulnerability in tomcat-embed-core-10.1.35.jar
26 Aug 202517:53
ibm
ibm
Security Bulletin: IBM webMethods BPM is affected by multiple vulnerabilities
12 Nov 202514:34
ibm
githubexploit
Exploit for Improper Handling of Case Sensitivity in Apache Tomcat
29 Apr 202500:47
githubexploit
nessus
Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2025-1030)
23 Jun 202500:00
nessus
Rows per page
# SPDX-FileCopyrightText: 2025 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:apache:tomcat";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.154591");
  script_version("2025-05-30T15:42:19+0000");
  script_tag(name:"last_modification", value:"2025-05-30 15:42:19 +0000 (Fri, 30 May 2025)");
  script_tag(name:"creation_date", value:"2025-05-30 02:40:27 +0000 (Fri, 30 May 2025)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_cve_id("CVE-2025-46701");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Apache Tomcat CGI Security Constraint Bypass Vulnerability (May 2025) - Windows");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2025 Greenbone AG");
  script_family("Web Servers");
  script_dependencies("gb_apache_tomcat_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("apache/tomcat/detected", "Host/runs_windows");

  script_tag(name:"summary", value:"Apache Tomcat is prone to a CGI security constraint bypass
  vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"When running on a case insensitive file system with security
  constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI
  servlet, it is possible to bypass those security constraints with a specially crafted URL.");

  script_tag(name:"affected", value:"Apache Tomcat version 9.0.104 and prior, 10.x through
  10.1.40 and 11.0.0-M1 through 11.0.6.

  Note: While not explicitly mentioned by the vendor (due to the EOL status of these branches) it
  is assumed that the whole 10.x branch and all versions prior to 9.x are affected by these flaws.
  If you disagree with this assessment and want to accept the risk please create an override for
  this result.");

  script_tag(name:"solution", value:"Update to version 9.0.105, 10.1.41, 11.0.7 or later.");

  script_xref(name:"URL", value:"https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less_equal(version: version, test_version: "9.0.104")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "9.0.105", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "10.0.0", test_version_up: "10.1.41")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "10.1.41", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "11.0.0.M1", test_version_up: "11.0.7")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "11.0.7", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 May 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.17.3
EPSS0.02736
SSVC
21