{"id":1045,"date":"2025-04-23T06:06:56","date_gmt":"2025-04-23T06:06:56","guid":{"rendered":"http:\/\/localhost\/?p=1045"},"modified":"2025-04-23T06:06:56","modified_gmt":"2025-04-23T06:06:56","slug":"amazon-linux-ami-tomcat8-alas-2025-1969","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=1045","title":{"rendered":"Amazon Linux AMI : tomcat8 (ALAS-2025-1969)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nAmazon Linux AMI : tomcat8 (ALAS-2025-1969)<\/td>\n<\/tr>\n
Type<\/th>\nnessus<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-22T00:00:00<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-22T11:29:46<\/td>\n<\/tr>\n
CVSS Score<\/th>\n9.8 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-24813<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nscanner<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n The version of tomcat8 installed on the remote host is prior to 8.5.99-1.98. It is, therefore, affected by a vulnerability as referenced in the ALAS-2025-1969 advisory.<\/p>\n

Path Equivalence: ‘file.Name’ (Internal Dot) leading to Remote Code Execution and\/or Information disclosure and\/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.<\/p>\n

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.<\/p>\n

If all of the following were true, a malicious user was able to view security sensitive files and\/or inject content into those files:- writes enabled for the default servlet (disabled by default)- support for partial PUT (enabled by default)- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads- attacker knowledge of the names of security sensitive files being uploaded- the security sensitive files also being uploaded via partial PUT<\/p>\n

If all of the following were true, a malicious user was able to perform remote code execution:- writes enabled for the default servlet (disabled by default)- support for partial PUT (enabled by default)- application was using Tomcat’s file based session persistence with the default storage location- application included a library that may be leveraged in a deserialization attack<\/p>\n

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.<\/p>\n

More justification and the patch links are available for all versions here:[1] https:\/\/tomcat.apache.org\/security-11.html[2] https:\/\/tomcat.apache.org\/security-10.html[3] https:\/\/tomcat.apache.org\/security-9.html (CVE-2025-24813)<\/p>\n

Tenable has extracted the preceding description block directly from the tested product security advisory.<\/p>\n

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
\nFile data ala_ALAS-2025-1969.nasl\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n9.8<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n