CVE-2025-24813 (Medium) Detected In Tomcat-embed-core-9.0.55.jar

by ADMIN 65 views

CVE-2025-24813 - Medium Severity Vulnerability

Apache Tomcat is a widely used open-source web server and servlet container. However, a recent vulnerability has been detected in the tomcat-embed-core-9.0.55.jar library, which is a part of the Tomcat implementation. This vulnerability, identified as CVE-2025-24813, has a medium severity rating and can potentially lead to remote code execution and/or information disclosure.

Vulnerable Library - tomcat-embed-core-9.0.55.jar

The vulnerable library is tomcat-embed-core-9.0.55.jar, which is a part of the Tomcat implementation. This library is used for core Tomcat functionality and is a critical component of the Tomcat server.

Library Home Page

The library home page is located at https://tomcat.apache.org/. This page provides information about the library, including its features, documentation, and download links.

Path to Vulnerable Library

The path to the vulnerable library is /target/mvn_hello2-0.0.1-SNAPSHOT/WEB-INF/lib-provided/tomcat-embed-core-9.0.55.jar. This path indicates that the library is located in the WEB-INF/lib-provided directory of the Tomcat server.

Dependency Hierarchy

The dependency hierarchy for the vulnerable library is as follows:

  • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

The vulnerable library is found in the main branch of the project.

Vulnerability Details

The vulnerability in tomcat-embed-core-9.0.55.jar is related to the way the library handles file uploads. Specifically, the issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, and from 9.0.0.M1 through 9.0.98.

If all of the following conditions are met, a malicious user can view security-sensitive files and/or inject content into those files:

  • Writes are enabled for the default servlet (disabled by default)
  • Support for partial PUT is enabled by default
  • A target URL for security-sensitive uploads is a sub-directory of a target URL for public uploads
  • The attacker knows the names of security-sensitive files being uploaded
  • The security-sensitive files are also uploaded via partial PUT

If all of the following conditions are met, a malicious user can perform remote code execution:

  • Writes are enabled for the default servlet (disabled by default)
  • Support for partial PUT is enabled by default
  • The application is using Tomcat's file-based session persistence with the default storage location
  • The application includes a library that may be leveraged in a deserialization attack

CVSS 3 Score Details

The CVSS 3 score for this vulnerability is 5.5, which indicates a medium severity rating. The CVSS 3 score is calculated based on the following metrics:

  • Base Score Metrics:
    • Exploitability Metrics:
      • Attack Vector: Local
      • Attack Complexity: Low
      • Privileges Required: None
      • User Interaction: Required
      • Scope: Unchanged
    • Impact Metrics:
      • Confidentiality Impact: None
      • Integrity Impact: None
      • Availability Impact: High

Suggested Fix

The suggested fix for this vulnerability is to upgrade the version of tomcat-embed-core to 9.0.99 or later. This fix is available as of 2025-03-10 and resolves the issue.

Conclusion

The CVE-2025-24813 vulnerability in tomcat-embed-core-9.0.55.jar is a medium severity issue that can potentially lead to remote code execution and/or information disclosure. It is essential to upgrade the version of tomcat-embed-core to 9.0.99 or later to resolve this issue. Additionally, it is recommended to follow best practices for securing Tomcat servers, including disabling writes for the default servlet and enabling support for partial PUT.

Step up your Open Source Security Game with Mend

To stay ahead of security threats like CVE-2025-24813, it is essential to have a robust open-source security solution in place. Mend is a leading provider of open-source security solutions that can help you identify and remediate vulnerabilities like this one. Learn more about how Mend can help you step up your open-source security game by visiting https://www.whitesourcesoftware.com/full_solution_bolt_github.
CVE-2025-24813 (Medium) detected in tomcat-embed-core-9.0.55.jar: Q&A

Q: What is CVE-2025-24813?

A: CVE-2025-24813 is a medium severity vulnerability detected in the tomcat-embed-core-9.0.55.jar library. This vulnerability can potentially lead to remote code execution and/or information disclosure.

Q: What is the impact of this vulnerability?

A: If all of the following conditions are met, a malicious user can view security-sensitive files and/or inject content into those files:

  • Writes are enabled for the default servlet (disabled by default)
  • Support for partial PUT is enabled by default
  • A target URL for security-sensitive uploads is a sub-directory of a target URL for public uploads
  • The attacker knows the names of security-sensitive files being uploaded
  • The security-sensitive files are also uploaded via partial PUT

If all of the following conditions are met, a malicious user can perform remote code execution:

  • Writes are enabled for the default servlet (disabled by default)
  • Support for partial PUT is enabled by default
  • The application is using Tomcat's file-based session persistence with the default storage location
  • The application includes a library that may be leveraged in a deserialization attack

Q: What is the CVSS 3 score for this vulnerability?

A: The CVSS 3 score for this vulnerability is 5.5, which indicates a medium severity rating.

Q: What are the base score metrics for this vulnerability?

A: The base score metrics for this vulnerability are:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

Q: What is the suggested fix for this vulnerability?

A: The suggested fix for this vulnerability is to upgrade the version of tomcat-embed-core to 9.0.99 or later. This fix is available as of 2025-03-10 and resolves the issue.

Q: How can I prevent this vulnerability from occurring in the future?

A: To prevent this vulnerability from occurring in the future, you can follow these best practices:

  • Disable writes for the default servlet
  • Disable support for partial PUT
  • Use a secure storage location for session persistence
  • Avoid using libraries that may be leveraged in a deserialization attack

Q: What is the recommended course of action for this vulnerability?

A: The recommended course of action for this vulnerability is to:

  • Upgrade the version of tomcat-embed-core to 9.0.99 or later
  • Review and update your application's configuration to prevent this vulnerability from occurring in the future
  • Consider implementing additional security measures to protect against remote code execution and information disclosure attacks

Q: How can I stay informed about security vulnerabilities like CVE-2025-24813?

A: To stay informed about security vulnerabilities like CVE-2025-24813, you can:

  • Subscribe to security vulnerability databases and feeds
  • Follow reputable security sources and blogs
  • Participate in security communities and forums
  • Use a robust open-source security solution like Mend to identify and remediate vulnerabilities

Q: What is Mend and how can it help me with open-source security?

A: Mend is a leading provider of open-source security solutions that can help you identify and remediate vulnerabilities like CVE-2025-24813. Mend's solution provides real-time vulnerability detection, automated remediation, and continuous monitoring to help you stay ahead of security threats. Learn more about how Mend can help you step up your open-source security game by visiting https://www.whitesourcesoftware.com/full_solution_bolt_github.