Author: markt
Date: Mon Jun 16 13:57:16 2025
New Revision: 1926475
URL: http://svn.apache.org/viewvc?rev=1926475&view=rev
Log:
Add CVE-2025-48976, -48988, -49124, -49125
Modified:
tomcat/site/trunk/docs/security-10.html
tomcat/site/trunk/docs/security-11.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-10.xml
tomcat/site/trunk/xdocs/security-11.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-10.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1926475&r1=1926474&r2=1926475&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-10.html (original)
+++ tomcat/site/trunk/docs/security-10.html Mon Jun 16 13:57:16 2025
@@ -42,7 +42,75 @@
</p>
</div><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
- <ul><li><a href="#Fixed_in_Apache_Tomcat_10.1.41">Fixed in Apache Tomcat
10.1.41</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.40">Fixed in Apache
Tomcat 10.1.40</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.35">Fixed in
Apache Tomcat 10.1.35</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.34">Fixed in Apache Tomcat
10.1.34</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.33">Fixed in Apache
Tomcat 10.1.33</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.31">Fixed in
Apache Tomcat 10.1.31</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.25">Fixed in Apache Tomcat
10.1.25</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.19">Fixed in Apache
Tomcat 10.1.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.16">Fixed in
Apache Tomcat 10.1.16</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.14">Fixed in Apache Tomcat
10.1.14</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.13">Fixed in Apache
Tomcat 10.1.13</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.9">Fixed in
Apache Tomcat 10.1.9</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.8">Fixed in Apache Tomcat
10.1.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.6">Fixed in Apache
Tomcat 10.1.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.5">Fixed in
Apache Tomcat 10.1.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.2">Fixed
in Apache Tomcat 10.1.2</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.1">Fixed in Apache Tomcat
10.1.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.27">Fixed in Apache
Tomcat 10.0.27</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.23">Fixed in
Apache Tomcat 10.0.23</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.0-M17">Fixed in Apache Tomcat
10.1.0-M17</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.21">Fixed in
Apache Tomcat 10.0.21</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.0-M15">Fixed in Apache Tomcat
10.1.0-M15</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.20">Fixed in
Apache Tomcat 10.0.20</a></li><li><a href="#Fixed_in_Apache_T
omcat_10.1.0-M14">Fixed in Apache Tomcat 10.1.0-M14</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.16">Fixed in Apache Tomcat
10.0.16</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.0-M10">Fixed in
Apache Tomcat 10.1.0-M10</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.12">Fixed in Apache Tomcat
10.0.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.0-M6">Fixed in Apache
Tomcat 10.1.0-M6</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.7">Fixed in
Apache Tomcat 10.0.7</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.6">Fixed
in Apache Tomcat 10.0.6</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.5">Fixed in Apache Tomcat
10.0.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.4">Fixed in Apache
Tomcat 10.0.4</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.2">Fixed in
Apache Tomcat 10.0.2</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.0-M10">Fixed in Apache Tomcat
10.0.0-M10</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M8">Fixed in
Apache Tomcat 10.0.0-M8<
/a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M7">Fixed in Apache Tomcat
10.0.0-M7</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M6">Fixed in
Apache Tomcat 10.0.0-M6</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.0-M5">Fixed in Apache Tomcat
10.0.0-M5</a></li><li><a href="#Not_a_vulnerability_in_Tomcat">Not a
vulnerability in Tomcat</a></li></ul>
+ <ul><li><a href="#Fixed_in_Apache_Tomcat_10.1.42">Fixed in Apache Tomcat
10.1.42</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.41">Fixed in Apache
Tomcat 10.1.41</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.40">Fixed in
Apache Tomcat 10.1.40</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.35">Fixed in Apache Tomcat
10.1.35</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.34">Fixed in Apache
Tomcat 10.1.34</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.33">Fixed in
Apache Tomcat 10.1.33</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.31">Fixed in Apache Tomcat
10.1.31</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.25">Fixed in Apache
Tomcat 10.1.25</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.19">Fixed in
Apache Tomcat 10.1.19</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.16">Fixed in Apache Tomcat
10.1.16</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.14">Fixed in Apache
Tomcat 10.1.14</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.13">Fixed in
Apache Tomcat 10.1.13</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.9">Fixed in Apache Tomcat
10.1.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.8">Fixed in Apache
Tomcat 10.1.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.6">Fixed in
Apache Tomcat 10.1.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.5">Fixed
in Apache Tomcat 10.1.5</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.2">Fixed in Apache Tomcat
10.1.2</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.1">Fixed in Apache
Tomcat 10.1.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.27">Fixed in
Apache Tomcat 10.0.27</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.23">Fixed in Apache Tomcat
10.0.23</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.0-M17">Fixed in
Apache Tomcat 10.1.0-M17</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.21">Fixed in Apache Tomcat
10.0.21</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.1.0-M15">Fixed in
Apache Tomcat 10.1.0-M15</a></li><li><a href="#Fixed_in_Apache_T
omcat_10.0.20">Fixed in Apache Tomcat 10.0.20</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.0-M14">Fixed in Apache Tomcat
10.1.0-M14</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.16">Fixed in
Apache Tomcat 10.0.16</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.0-M10">Fixed in Apache Tomcat
10.1.0-M10</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.12">Fixed in
Apache Tomcat 10.0.12</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.1.0-M6">Fixed in Apache Tomcat
10.1.0-M6</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.7">Fixed in Apache
Tomcat 10.0.7</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.6">Fixed in
Apache Tomcat 10.0.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.5">Fixed
in Apache Tomcat 10.0.5</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.4">Fixed in Apache Tomcat
10.0.4</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.2">Fixed in Apache
Tomcat 10.0.2</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M10">Fixed in
Apache Tomcat 10.0.0-M10</a><
/li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M8">Fixed in Apache Tomcat
10.0.0-M8</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M7">Fixed in
Apache Tomcat 10.0.0-M7</a></li><li><a
href="#Fixed_in_Apache_Tomcat_10.0.0-M6">Fixed in Apache Tomcat
10.0.0-M6</a></li><li><a href="#Fixed_in_Apache_Tomcat_10.0.0-M5">Fixed in
Apache Tomcat 10.0.0-M5</a></li><li><a
href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in
Tomcat</a></li></ul>
+ </div><h3 id="Fixed_in_Apache_Tomcat_10.1.42"><span
class="pull-right">2025-06-09</span> Fixed in Apache Tomcat 10.1.42</h3><div
class="text">
+
+ <p><strong>Moderate: Security constraint bypass for PreResources and
+ PostResources</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125";
rel="nofollow">CVE-2025-49125</a></p>
+
+ <p>When using PreResources or PostResources mounted other than at the root
+ of the web application, it was possible to access those resources via an
+ unexpected path. That path was likely not to be protected by the same
+ security constraints as the expected path, allowing those security
+ constraints to be bypassed.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c";>7617b9c2</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0-M1 to 10.1.41</p>
+
+ <p><strong>Low: Side-loading via Tomcat installer for Windows</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49124";
rel="nofollow">CVE-2025-49124</a></p>
+
+ <p>During installation, the Tomcat installer for Windows used icacls.exe
+ without specifying a full path. This enabled a side-loading
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/e0e07812224d327a321babb554f5a5758d30cc49";>e0e07812</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0 to 10.1.41</p>
+
+ <p><strong>Important: DoS in multipart upload</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988";
rel="nofollow">CVE-2025-48988</a></p>
+
+ <p>Tomcat used the same limit for both request parameters and parts in a
+ multipart request. Since uploaded parts also include headers which must
+ be retained, processing multipart requests can result in significantly
+ more memory usage. A specially crafted request that used a large number
+ of parts could trigger excessive memory usage leading to a DoS. The
+ maximum number of parts is now configurable (maxPartCount on the
+ Connector) with a default of 10 parts.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6";>cdde8e65</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0-M1 to 10.1.41</p>
+
+ <p><strong>Important: DoS in Commons FileUpload</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48976";
rel="nofollow">CVE-2025-48976</a></p>
+
+ <p>Apache Commons FileUpload provided a hard-coded limit of 10kB for the
+ size of the headers associated with a multipart request. A specially
+ crafted request that used a large number of parts with large headers
+ could trigger excessive memory usage leading to a DoS. This limit is
+ now configurable (maxPartHeaderSize on the Connector) with a default of
+ 512 bytes.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86";>667ddd76</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0-M1 to 10.1.41</p>
+
</div><h3 id="Fixed_in_Apache_Tomcat_10.1.41"><span
class="pull-right">2025-05-12</span> Fixed in Apache Tomcat 10.1.41</h3><div
class="text">
<p><strong>Low: CGI security constraint bypass</strong>
Modified: tomcat/site/trunk/docs/security-11.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-11.html?rev=1926475&r1=1926474&r2=1926475&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-11.html (original)
+++ tomcat/site/trunk/docs/security-11.html Mon Jun 16 13:57:16 2025
@@ -36,7 +36,75 @@
</p>
</div><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
- <ul><li><a href="#Fixed_in_Apache_Tomcat_11.0.7">Fixed in Apache Tomcat
11.0.7</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.6">Fixed in Apache
Tomcat 11.0.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.3">Fixed in
Apache Tomcat 11.0.3</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.2">Fixed
in Apache Tomcat 11.0.2</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.1">Fixed in Apache Tomcat
11.0.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0">Fixed in Apache
Tomcat 11.0.0</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-M21">Fixed in
Apache Tomcat 11.0.0-M21</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.0-M17">Fixed in Apache Tomcat
11.0.0-M17</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-M12">Fixed in
Apache Tomcat 11.0.0-M12</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.0-M11">Fixed in Apache Tomcat
11.0.0-M11</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-M6">Fixed in
Apache Tomcat 11.0.0-M6</a></li><li><a href="#Fixed_in_Apache_Tomcat_1
1.0.0-M5">Fixed in Apache Tomcat 11.0.0-M5</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.0-M3">Fixed in Apache Tomcat
11.0.0-M3</a></li></ul>
+ <ul><li><a href="#Fixed_in_Apache_Tomcat_11.0.8">Fixed in Apache Tomcat
11.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.7">Fixed in Apache
Tomcat 11.0.7</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.6">Fixed in
Apache Tomcat 11.0.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.3">Fixed
in Apache Tomcat 11.0.3</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.2">Fixed in Apache Tomcat
11.0.2</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.1">Fixed in Apache
Tomcat 11.0.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0">Fixed in
Apache Tomcat 11.0.0</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.0-M21">Fixed in Apache Tomcat
11.0.0-M21</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-M17">Fixed in
Apache Tomcat 11.0.0-M17</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.0-M12">Fixed in Apache Tomcat
11.0.0-M12</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-M11">Fixed in
Apache Tomcat 11.0.0-M11</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-
M6">Fixed in Apache Tomcat 11.0.0-M6</a></li><li><a
href="#Fixed_in_Apache_Tomcat_11.0.0-M5">Fixed in Apache Tomcat
11.0.0-M5</a></li><li><a href="#Fixed_in_Apache_Tomcat_11.0.0-M3">Fixed in
Apache Tomcat 11.0.0-M3</a></li></ul>
+ </div><h3 id="Fixed_in_Apache_Tomcat_11.0.8"><span
class="pull-right">2025-06-09</span> Fixed in Apache Tomcat 11.0.8</h3><div
class="text">
+
+ <p><strong>Moderate: Security constraint bypass for PreResources and
+ PostResources</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125";
rel="nofollow">CVE-2025-49125</a></p>
+
+ <p>When using PreResources or PostResources mounted other than at the root
+ of the web application, it was possible to access those resources via an
+ unexpected path. That path was likely not to be protected by the same
+ security constraints as the expected path, allowing those security
+ constraints to be bypassed.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637";>d94bd36f</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ <p><strong>Low: Side-loading via Tomcat installer for Windows</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49124";
rel="nofollow">CVE-2025-49124</a></p>
+
+ <p>During installation, the Tomcat installer for Windows used icacls.exe
+ without specifying a full path. This enabled a side-loading
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/c56456cda8151c9504dfb7985700824559d769a7";>c56456cd</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ <p><strong>Important: DoS in multipart upload</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988";
rel="nofollow">CVE-2025-48988</a></p>
+
+ <p>Tomcat used the same limit for both request parameters and parts in a
+ multipart request. Since uploaded parts also include headers which must
+ be retained, processing multipart requests can result in significantly
+ more memory usage. A specially crafted request that used a large number
+ of parts could trigger excessive memory usage leading to a DoS. The
+ maximum number of parts is now configurable (maxPartCount on the
+ Connector) with a default of 10 parts.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e";>2b0ab14f</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ <p><strong>Important: DoS in Commons FileUpload</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48976";
rel="nofollow">CVE-2025-48976</a></p>
+
+ <p>Apache Commons FileUpload provided a hard-coded limit of 10kB for the
+ size of the headers associated with a multipart request. A specially
+ crafted request that used a large number of parts with large headers
+ could trigger excessive memory usage leading to a DoS. This limit is
+ now configurable (maxPartHeaderSize on the Connector) with a default of
+ 512 bytes.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/74f69ffaf61e54c727603e7e831fe20f0ac5d2a7";>74f69ffa</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
</div><h3 id="Fixed_in_Apache_Tomcat_11.0.7"><span
class="pull-right">2025-05-13</span> Fixed in Apache Tomcat 11.0.7</h3><div
class="text">
<p><strong>Low: CGI security constraint bypass</strong>
Modified: tomcat/site/trunk/docs/security-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1926475&r1=1926474&r2=1926475&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Mon Jun 16 13:57:16 2025
@@ -36,7 +36,75 @@
</p>
</div><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
- <ul><li><a href="#Fixed_in_Apache_Tomcat_9.0.105">Fixed in Apache Tomcat
9.0.105</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.104">Fixed in Apache
Tomcat 9.0.104</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.99">Fixed in
Apache Tomcat 9.0.99</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.98">Fixed
in Apache Tomcat 9.0.98</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.97">Fixed in Apache Tomcat
9.0.97</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.96">Fixed in Apache
Tomcat 9.0.96</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.90">Fixed in
Apache Tomcat 9.0.90</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.86">Fixed
in Apache Tomcat 9.0.86</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.83">Fixed in Apache Tomcat
9.0.83</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.81">Fixed in Apache
Tomcat 9.0.81</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.80">Fixed in
Apache Tomcat 9.0.80</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.75">Fixed
in Apache Tomcat 9.0.
75</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.74">Fixed in Apache Tomcat
9.0.74</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.72">Fixed in Apache
Tomcat 9.0.72</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.71">Fixed in
Apache Tomcat 9.0.71</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.69">Fixed
in Apache Tomcat 9.0.69</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.68">Fixed in Apache Tomcat
9.0.68</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.65">Fixed in Apache
Tomcat 9.0.65</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.63">Fixed in
Apache Tomcat 9.0.63</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.62">Fixed
in Apache Tomcat 9.0.62</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.58">Fixed in Apache Tomcat
9.0.58</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.54">Fixed in Apache
Tomcat 9.0.54</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.48">Fixed in
Apache Tomcat 9.0.48</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.46">Fixed
in Apache Tomcat 9.0.4
6</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.45">Fixed in Apache Tomcat
9.0.45</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.44">Fixed in Apache
Tomcat 9.0.44</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.43">Fixed in
Apache Tomcat 9.0.43</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.40">Fixed
in Apache Tomcat 9.0.40</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.38">Fixed in Apache Tomcat
9.0.38</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.37">Fixed in Apache
Tomcat 9.0.37</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.36">Fixed in
Apache Tomcat 9.0.36</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.35">Fixed
in Apache Tomcat 9.0.35</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.31">Fixed in Apache Tomcat
9.0.31</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.30">Fixed in Apache
Tomcat 9.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.29">Fixed in
Apache Tomcat 9.0.29</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.21">Fixed
in Apache Tomcat 9.0.21
</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.20">Fixed in Apache Tomcat
9.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.19">Fixed in Apache
Tomcat 9.0.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.16">Fixed in
Apache Tomcat 9.0.16</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.12">Fixed
in Apache Tomcat 9.0.12</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.10">Fixed in Apache Tomcat
9.0.10</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.9">Fixed in Apache
Tomcat 9.0.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.8">Fixed in
Apache Tomcat 9.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed
in Apache Tomcat 9.0.5</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache Tomcat
9.0.2</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in Apache
Tomcat 9.0.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M22">Fixed in
Apache Tomcat 9.0.0.M22</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M21">Fixed in Apache Tomcat 9.0.0.M2
1</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M19">Fixed in Apache
Tomcat 9.0.0.M19</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M18">Fixed
in Apache Tomcat 9.0.0.M18</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M17">Fixed in Apache Tomcat
9.0.0.M17</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M15">Fixed in
Apache Tomcat 9.0.0.M15</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M13">Fixed in Apache Tomcat
9.0.0.M13</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M10">Fixed in
Apache Tomcat 9.0.0.M10</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M8">Fixed in Apache Tomcat
9.0.0.M8</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M3">Fixed in Apache
Tomcat 9.0.0.M3</a></li><li><a href="#Not_a_vulnerability_in_Tomcat">Not a
vulnerability in Tomcat</a></li></ul>
+ <ul><li><a href="#Fixed_in_Apache_Tomcat_9.0.106">Fixed in Apache Tomcat
9.0.106</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.105">Fixed in Apache
Tomcat 9.0.105</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.104">Fixed in
Apache Tomcat 9.0.104</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.99">Fixed in Apache Tomcat
9.0.99</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.98">Fixed in Apache
Tomcat 9.0.98</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.97">Fixed in
Apache Tomcat 9.0.97</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.96">Fixed
in Apache Tomcat 9.0.96</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.90">Fixed in Apache Tomcat
9.0.90</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.86">Fixed in Apache
Tomcat 9.0.86</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.83">Fixed in
Apache Tomcat 9.0.83</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.81">Fixed
in Apache Tomcat 9.0.81</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.80">Fixed in Apache Tomcat 9.
0.80</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.75">Fixed in Apache
Tomcat 9.0.75</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.74">Fixed in
Apache Tomcat 9.0.74</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.72">Fixed
in Apache Tomcat 9.0.72</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.71">Fixed in Apache Tomcat
9.0.71</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.69">Fixed in Apache
Tomcat 9.0.69</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.68">Fixed in
Apache Tomcat 9.0.68</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.65">Fixed
in Apache Tomcat 9.0.65</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.63">Fixed in Apache Tomcat
9.0.63</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.62">Fixed in Apache
Tomcat 9.0.62</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.58">Fixed in
Apache Tomcat 9.0.58</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.54">Fixed
in Apache Tomcat 9.0.54</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.48">Fixed in Apache Tomcat 9.0
.48</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.46">Fixed in Apache
Tomcat 9.0.46</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.45">Fixed in
Apache Tomcat 9.0.45</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.44">Fixed
in Apache Tomcat 9.0.44</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.43">Fixed in Apache Tomcat
9.0.43</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.40">Fixed in Apache
Tomcat 9.0.40</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.38">Fixed in
Apache Tomcat 9.0.38</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.37">Fixed
in Apache Tomcat 9.0.37</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.36">Fixed in Apache Tomcat
9.0.36</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.35">Fixed in Apache
Tomcat 9.0.35</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.31">Fixed in
Apache Tomcat 9.0.31</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.30">Fixed
in Apache Tomcat 9.0.30</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.29">Fixed in Apache Tomcat 9.0.
29</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.21">Fixed in Apache Tomcat
9.0.21</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.20">Fixed in Apache
Tomcat 9.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.19">Fixed in
Apache Tomcat 9.0.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.16">Fixed
in Apache Tomcat 9.0.16</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.12">Fixed in Apache Tomcat
9.0.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.10">Fixed in Apache
Tomcat 9.0.10</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.9">Fixed in
Apache Tomcat 9.0.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.8">Fixed
in Apache Tomcat 9.0.8</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed in Apache Tomcat
9.0.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache
Tomcat 9.0.2</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in
Apache Tomcat 9.0.1</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M22">Fixed in Apache Tomcat 9.0.0.M22</a
></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M21">Fixed in Apache Tomcat
>9.0.0.M21</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M19">Fixed in
>Apache Tomcat 9.0.0.M19</a></li><li><a
>href="#Fixed_in_Apache_Tomcat_9.0.0.M18">Fixed in Apache Tomcat
>9.0.0.M18</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M17">Fixed in
>Apache Tomcat 9.0.0.M17</a></li><li><a
>href="#Fixed_in_Apache_Tomcat_9.0.0.M15">Fixed in Apache Tomcat
>9.0.0.M15</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M13">Fixed in
>Apache Tomcat 9.0.0.M13</a></li><li><a
>href="#Fixed_in_Apache_Tomcat_9.0.0.M10">Fixed in Apache Tomcat
>9.0.0.M10</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M8">Fixed in
>Apache Tomcat 9.0.0.M8</a></li><li><a
>href="#Fixed_in_Apache_Tomcat_9.0.0.M3">Fixed in Apache Tomcat
>9.0.0.M3</a></li><li><a href="#Not_a_vulnerability_in_Tomcat">Not a
>vulnerability in Tomcat</a></li></ul>
+ </div><h3 id="Fixed_in_Apache_Tomcat_9.0.106"><span
class="pull-right">2025-06-10</span> Fixed in Apache Tomcat 9.0.106</h3><div
class="text">
+
+ <p><strong>Moderate: Security constraint bypass for PreResources and
+ PostResources</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125";
rel="nofollow">CVE-2025-49125</a></p>
+
+ <p>When using PreResources or PostResources mounted other than at the root
+ of the web application, it was possible to access those resources via an
+ unexpected path. That path was likely not to be protected by the same
+ security constraints as the expected path, allowing those security
+ constraints to be bypassed.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9";>9418e3ff</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.105</p>
+
+ <p><strong>Low: Side-loading via Tomcat installer for Windows</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49124";
rel="nofollow">CVE-2025-49124</a></p>
+
+ <p>During installation, the Tomcat installer for Windows used icacls.exe
+ without specifying a full path. This enabled a side-loading
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/28726cc2e63bed68771f5eb0f65a78dc7080571823";>28726cc2</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.23 to 9.0.105</p>
+
+ <p><strong>Important: DoS in multipart upload</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988";
rel="nofollow">CVE-2025-48988</a></p>
+
+ <p>Tomcat used the same limit for both request parameters and parts in a
+ multipart request. Since uploaded parts also include headers which must
+ be retained, processing multipart requests can result in significantly
+ more memory usage. A specially crafted request that used a large number
+ of parts could trigger excessive memory usage leading to a DoS. The
+ maximum number of parts is now configurable (maxPartCount on the
+ Connector) with a default of 10 parts.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910";>ee8042ff</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.105</p>
+
+ <p><strong>Important: DoS in Commons FileUpload</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48976";
rel="nofollow">CVE-2025-48976</a></p>
+
+ <p>Apache Commons FileUpload provided a hard-coded limit of 10kB for the
+ size of the headers associated with a multipart request. A specially
+ crafted request that used a large number of parts with large headers
+ could trigger excessive memory usage leading to a DoS. This limit is
+ now configurable (maxPartHeaderSize on the Connector) with a default of
+ 512 bytes.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93";>97790a35</a>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.105</p>
+
</div><h3 id="Fixed_in_Apache_Tomcat_9.0.105"><span
class="pull-right">2025-05-12</span> Fixed in Apache Tomcat 9.0.105</h3><div
class="text">
<p><strong>Low: CGI security constraint bypass</strong>
Modified: tomcat/site/trunk/xdocs/security-10.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-10.xml?rev=1926475&r1=1926474&r2=1926475&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-10.xml (original)
+++ tomcat/site/trunk/xdocs/security-10.xml Mon Jun 16 13:57:16 2025
@@ -56,6 +56,76 @@
<toc/>
</section>
+ <section name="Fixed in Apache Tomcat 10.1.42" rtext="2025-06-09">
+
+ <p><strong>Moderate: Security constraint bypass for PreResources and
+ PostResources</strong>
+ <cve>CVE-2025-49125</cve></p>
+
+ <p>When using PreResources or PostResources mounted other than at the root
+ of the web application, it was possible to access those resources via an
+ unexpected path. That path was likely not to be protected by the same
+ security constraints as the expected path, allowing those security
+ constraints to be bypassed.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="7617b9c247bc77ed0444dd69adcd8aa48777886c"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0-M1 to 10.1.41</p>
+
+ <p><strong>Low: Side-loading via Tomcat installer for Windows</strong>
+ <cve>CVE-2025-49124</cve></p>
+
+ <p>During installation, the Tomcat installer for Windows used icacls.exe
+ without specifying a full path. This enabled a side-loading
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="e0e07812224d327a321babb554f5a5758d30cc49"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0 to 10.1.41</p>
+
+ <p><strong>Important: DoS in multipart upload</strong>
+ <cve>CVE-2025-48988</cve></p>
+
+ <p>Tomcat used the same limit for both request parameters and parts in a
+ multipart request. Since uploaded parts also include headers which must
+ be retained, processing multipart requests can result in significantly
+ more memory usage. A specially crafted request that used a large number
+ of parts could trigger excessive memory usage leading to a DoS. The
+ maximum number of parts is now configurable (maxPartCount on the
+ Connector) with a default of 10 parts.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="cdde8e655bc1c5c60a07efd216251d77c52fd7f6"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0-M1 to 10.1.41</p>
+
+ <p><strong>Important: DoS in Commons FileUpload</strong>
+ <cve>CVE-2025-48976</cve></p>
+
+ <p>Apache Commons FileUpload provided a hard-coded limit of 10kB for the
+ size of the headers associated with a multipart request. A specially
+ crafted request that used a large number of parts with large headers
+ could trigger excessive memory usage leading to a DoS. This limit is
+ now configurable (maxPartHeaderSize on the Connector) with a default of
+ 512 bytes.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 10.1.0-M1 to 10.1.41</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 10.1.41" rtext="2025-05-12">
<p><strong>Low: CGI security constraint bypass</strong>
Modified: tomcat/site/trunk/xdocs/security-11.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-11.xml?rev=1926475&r1=1926474&r2=1926475&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-11.xml (original)
+++ tomcat/site/trunk/xdocs/security-11.xml Mon Jun 16 13:57:16 2025
@@ -50,6 +50,76 @@
<toc/>
</section>
+ <section name="Fixed in Apache Tomcat 11.0.8" rtext="2025-06-09">
+
+ <p><strong>Moderate: Security constraint bypass for PreResources and
+ PostResources</strong>
+ <cve>CVE-2025-49125</cve></p>
+
+ <p>When using PreResources or PostResources mounted other than at the root
+ of the web application, it was possible to access those resources via an
+ unexpected path. That path was likely not to be protected by the same
+ security constraints as the expected path, allowing those security
+ constraints to be bypassed.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="d94bd36fb7eb32e790dae0339bc249069649a637"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ <p><strong>Low: Side-loading via Tomcat installer for Windows</strong>
+ <cve>CVE-2025-49124</cve></p>
+
+ <p>During installation, the Tomcat installer for Windows used icacls.exe
+ without specifying a full path. This enabled a side-loading
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="c56456cda8151c9504dfb7985700824559d769a7"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ <p><strong>Important: DoS in multipart upload</strong>
+ <cve>CVE-2025-48988</cve></p>
+
+ <p>Tomcat used the same limit for both request parameters and parts in a
+ multipart request. Since uploaded parts also include headers which must
+ be retained, processing multipart requests can result in significantly
+ more memory usage. A specially crafted request that used a large number
+ of parts could trigger excessive memory usage leading to a DoS. The
+ maximum number of parts is now configurable (maxPartCount on the
+ Connector) with a default of 10 parts.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ <p><strong>Important: DoS in Commons FileUpload</strong>
+ <cve>CVE-2025-48976</cve></p>
+
+ <p>Apache Commons FileUpload provided a hard-coded limit of 10kB for the
+ size of the headers associated with a multipart request. A specially
+ crafted request that used a large number of parts with large headers
+ could trigger excessive memory usage leading to a DoS. This limit is
+ now configurable (maxPartHeaderSize on the Connector) with a default of
+ 512 bytes.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="74f69ffaf61e54c727603e7e831fe20f0ac5d2a7"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 11.0.0-M1 to 11.0.7</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 11.0.7" rtext="2025-05-13">
<p><strong>Low: CGI security constraint bypass</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1926475&r1=1926474&r2=1926475&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Mon Jun 16 13:57:16 2025
@@ -50,6 +50,76 @@
<toc/>
</section>
+ <section name="Fixed in Apache Tomcat 9.0.106" rtext="2025-06-10">
+
+ <p><strong>Moderate: Security constraint bypass for PreResources and
+ PostResources</strong>
+ <cve>CVE-2025-49125</cve></p>
+
+ <p>When using PreResources or PostResources mounted other than at the root
+ of the web application, it was possible to access those resources via an
+ unexpected path. That path was likely not to be protected by the same
+ security constraints as the expected path, allowing those security
+ constraints to be bypassed.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="9418e3ff9f1f4c006b4661311ae9376c52d162b9"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.105</p>
+
+ <p><strong>Low: Side-loading via Tomcat installer for Windows</strong>
+ <cve>CVE-2025-49124</cve></p>
+
+ <p>During installation, the Tomcat installer for Windows used icacls.exe
+ without specifying a full path. This enabled a side-loading
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="28726cc2e63bed68771f5eb0f65a78dc7080571823"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.23 to 9.0.105</p>
+
+ <p><strong>Important: DoS in multipart upload</strong>
+ <cve>CVE-2025-48988</cve></p>
+
+ <p>Tomcat used the same limit for both request parameters and parts in a
+ multipart request. Since uploaded parts also include headers which must
+ be retained, processing multipart requests can result in significantly
+ more memory usage. A specially crafted request that used a large number
+ of parts could trigger excessive memory usage leading to a DoS. The
+ maximum number of parts is now configurable (maxPartCount on the
+ Connector) with a default of 10 parts.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="ee8042ffce4cb9324dfd79efda5984f37bbb6910"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.105</p>
+
+ <p><strong>Important: DoS in Commons FileUpload</strong>
+ <cve>CVE-2025-48976</cve></p>
+
+ <p>Apache Commons FileUpload provided a hard-coded limit of 10kB for the
+ size of the headers associated with a multipart request. A specially
+ crafted request that used a large number of parts with large headers
+ could trigger excessive memory usage leading to a DoS. This limit is
+ now configurable (maxPartHeaderSize on the Connector) with a default of
+ 512 bytes.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="97790a35a27d236fa053e660676c3f8196284d93"/>.</p>
+
+ <p>The issue was made public on 16 June 2025.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.105</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.105" rtext="2025-05-12">
<p><strong>Low: CGI security constraint bypass</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
