Apache Tomcat 10.1.0-M1 < 10.1.50 Multiple Vulnerabilities

medium Web App Scanning Plugin ID 115153

Language:

Synopsis

Apache Tomcat 10.1.0-M1 < 10.1.50 Multiple Vulnerabilities

Description

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.113, 10.1.0-M1 prior to 10.1.50 or 11.0.0-M1 prior to 11.0.15. It is, therefore, affected by multiple vulnerabilities :

- If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. (CVE-2026-24733)

- If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. (CVE-2025-66614)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Tomcat version 10.1.50 or later.

See Also

https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.50

Plugin Details

Severity: Medium

ID: 115153

Type: remote

Family: Component Vulnerability

Published: 3/5/2026

Updated: 3/5/2026

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-66614

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Score Source: CVE-2025-66614

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-24733

Vulnerability Information

CPE: cpe:2.3:a:apache_software_foundation:tomcat:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/6/2025

Reference Information

CVE: CVE-2025-66614, CVE-2026-24733

CWE: 20

OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A5, 2017-A9, 2021-A3, 2021-A6, 2025-A5, 2025-A6

WASC: Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.3

PCI-DSS: 3.2-6.2, 3.2-6.5