Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities

high Web App Scanning Plugin ID 114886

Language:

Synopsis

Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities

Description

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities :

- When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. (CVE-2025-49125)

- During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability. (CVE-2025-49124)

- Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. (CVE-2025-48988)

- Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. (CVE-2025-48976)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Tomcat version 11.0.8 or later.

See Also

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8

Plugin Details

Severity: High

ID: 114886

Type: remote

Family: Component Vulnerability

Published: 6/20/2025

Updated: 6/20/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-49124

CVSS v3

Risk Factor: High

Base Score: 8.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2025-49124

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-48976

Vulnerability Information

CPE: cpe:2.3:a:apache_software_foundation:tomcat:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/8/2025

Reference Information

CVE: CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, CVE-2025-49125

CWE: 288, 426, 770

OWASP: 2010-A3, 2010-A4, 2013-A2, 2013-A4, 2013-A9, 2017-A2, 2017-A5, 2017-A9, 2021-A6, 2021-A7, 2021-A8

WASC: Denial of Service, Insufficient Authentication, Path Traversal

CAPEC: 114, 115, 125, 130, 147, 151, 194, 197, 22, 229, 230, 231, 38, 469, 482, 486, 487, 488, 489, 490, 491, 493, 494, 495, 496, 528, 57, 593, 633, 650, 94

DISA STIG: APSC-DV-000460, APSC-DV-002400, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SC-5

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-12.3.1, 4.0.2-14.2.1

PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5.10, 3.2-6.5.8