Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-48976 (GCVE-0-2025-48976)
Vulnerability from cvelistv5 – Published: 2025-06-16 15:00 – Updated: 2025-11-03 20:05
VLAI
EPSS
Title
Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers
Summary
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.
Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Allocation of resources with insufficient limits
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Commons FileUpload |
Affected:
1.0 , < 1.6
(semver)
|
|
| Apache Software Foundation | Apache Commons FileUpload |
Affected:
2.0.0-M1 , < 2.0.0-M4
(semver)
|
Credits
TERASOLUNA Framework Security Team of NTT DATA Group Corporation
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:05:02.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/16/4"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T14:04:56.145891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T14:07:34.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "commons-fileupload:commons-fileupload",
"product": "Apache Commons FileUpload",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6",
"status": "affected",
"version": "1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.commons:commons-fileupload2",
"product": "Apache Commons FileUpload",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.0-M4",
"status": "affected",
"version": "2.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TERASOLUNA Framework Security Team of NTT DATA Group Corporation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\u003c/p\u003e"
}
],
"value": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\n\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\n\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Allocation of resources with insufficient limits",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T15:00:48.140Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48976",
"datePublished": "2025-06-16T15:00:48.140Z",
"dateReserved": "2025-05-29T07:19:14.431Z",
"dateUpdated": "2025-11-03T20:05:02.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-48976",
"date": "2026-06-04",
"epss": "0.01278",
"percentile": "0.79901"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48976\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-06-16T15:15:24.460\",\"lastModified\":\"2025-11-03T20:19:07.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\\n\\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\\n\\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\"},{\"lang\":\"es\",\"value\":\"La asignaci\u00f3n de recursos para encabezados multiparte con l\u00edmites insuficientes gener\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en Apache Commons FileUpload. Este problema afecta a Apache Commons FileUpload: de la versi\u00f3n 1.0 a la 1.6; de la versi\u00f3n 2.0.0-M1 a la 2.0.0-M4. Se recomienda actualizar a las versiones 1.6 o 2.0.0-M4, que solucionan el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0\",\"versionEndExcluding\":\"1.6\",\"matchCriteriaId\":\"20D93D43-A57F-4C1E-82AC-EB50648742EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B415BCF-AACF-4882-8882-10D99610C79D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m1-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB892667-4AF8-41C6-9F40-D800CA16A8C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AE1594A-1C38-461E-B949-76A0C24A3C7F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m2-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"827AA598-1A62-4529-A7C7-37EB9D56BE6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m3:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA5C9AC9-56E6-4864-9965-827C93755F8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:commons_fileupload:2.0.0:m3-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2395D9D-DEF6-4CC7-87F9-6D8FC9DCEE74\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/06/16/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/06/16/4\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:05:02.486Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48976\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-17T14:04:56.145891Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T14:05:58.653Z\"}}], \"cna\": {\"title\": \"Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"TERASOLUNA Framework Security Team of NTT DATA Group Corporation\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons FileUpload\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0\", \"lessThan\": \"1.6\", \"versionType\": \"semver\"}], \"packageName\": \"commons-fileupload:commons-fileupload\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Commons FileUpload\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0-M1\", \"lessThan\": \"2.0.0-M4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.commons:commons-fileupload2\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\\n\\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\\n\\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAllocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Allocation of resources with insufficient limits\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-06-16T15:00:48.140Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48976\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T20:05:02.486Z\", \"dateReserved\": \"2025-05-29T07:19:14.431Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-06-16T15:00:48.140Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
RHSA-2025:14181
Vulnerability from csaf_redhat - Published: 2025-08-20 15:41 - Updated: 2026-04-30 13:32Summary
Red Hat Security Advisory: tomcat security update
Severity
Important
Notes
Topic: An update for tomcat is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)
* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)
* tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)
* tomcat: Apache Tomcat denial of service (CVE-2025-52520)
* tomcat: Apache Tomcat denial of service (CVE-2025-52434)
* tomcat: Apache Tomcat denial of service (CVE-2025-53506)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw has been discovered in path handling logic in Apache Tomcat. When using either PreResources or PostResources mounted on a non-root path, it is possible to access resources via an unexpected path. This may result in leaking of files on those paths.
CWE-288 - Authentication Bypass Using an Alternate Path or ChannelAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A denial of service flaw was found in Apache Tomcat. For some unlikely configurations of multipart upload, an integer overflow vulnerability may lead to a denial of service via bypassing size limits.
CWE-190 - Integer Overflow or WraparoundAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
47 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)\n\n* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)\n\n* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)\n\n* tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-48989)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-52520)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-52434)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-53506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14181",
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2373015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373015"
},
{
"category": "external",
"summary": "2373018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373018"
},
{
"category": "external",
"summary": "2373020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "2379374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379374"
},
{
"category": "external",
"summary": "2379382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
},
{
"category": "external",
"summary": "2379386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379386"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14181.json"
}
],
"title": "Red Hat Security Advisory: tomcat security update",
"tracking": {
"current_release_date": "2026-04-30T13:32:15+00:00",
"generator": {
"date": "2026-04-30T13:32:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:14181",
"initial_release_date": "2025-08-20T15:41:15+00:00",
"revision_history": [
{
"date": "2025-08-20T15:41:15+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-20T15:41:15+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:32:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-1:9.0.87-3.el9_6.3.src",
"product": {
"name": "tomcat-1:9.0.87-3.el9_6.3.src",
"product_id": "tomcat-1:9.0.87-3.el9_6.3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@9.0.87-3.el9_6.3?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-admin-webapps@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-docs-webapp@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-el-3.0-api@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsp-2.3-api@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-lib@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-servlet-4.0-api@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-webapps-1:9.0.87-3.el9_6.3.noarch",
"product": {
"name": "tomcat-webapps-1:9.0.87-3.el9_6.3.noarch",
"product_id": "tomcat-webapps-1:9.0.87-3.el9_6.3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-webapps@9.0.87-3.el9_6.3?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-3.el9_6.3.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src"
},
"product_reference": "tomcat-1:9.0.87-3.el9_6.3.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-1:9.0.87-3.el9_6.3.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
},
"product_reference": "tomcat-webapps-1:9.0.87-3.el9_6.3.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-06-16T16:00:46.319735+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373020"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-fileupload: Apache Commons FileUpload DoS via part headers",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48976"
},
{
"category": "external",
"summary": "RHBZ#2373020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12",
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf",
"url": "https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf"
}
],
"release_date": "2025-06-16T15:00:48.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-fileupload: Apache Commons FileUpload DoS via part headers"
},
{
"cve": "CVE-2025-48988",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-06-16T15:00:56.878149+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373015"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat DoS in multipart upload",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48988"
},
{
"category": "external",
"summary": "RHBZ#2373015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48988"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18",
"url": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18"
}
],
"release_date": "2025-06-16T14:13:40.457000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat DoS in multipart upload"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-06-18T08:15:11.266000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373309"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48989"
},
{
"category": "external",
"summary": "RHBZ#2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48989"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
},
{
"category": "external",
"summary": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44"
}
],
"release_date": "2025-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames"
},
{
"cve": "CVE-2025-49125",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2025-06-16T15:01:10.747453+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373018"
}
],
"notes": [
{
"category": "description",
"text": "A flaw has been discovered in path handling logic in Apache Tomcat. When using either PreResources or PostResources mounted on a non-root path, it is possible to access resources via an unexpected path. This may result in leaking of files on those paths.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49125"
},
{
"category": "external",
"summary": "RHBZ#2373018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373018"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49125"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk",
"url": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk"
}
],
"release_date": "2025-06-16T14:18:09.610000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources"
},
{
"cve": "CVE-2025-52434",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2025-07-10T20:01:51.277157+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379382"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52434"
},
{
"category": "external",
"summary": "RHBZ#2379382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52434"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030",
"url": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030"
}
],
"release_date": "2025-07-10T19:03:47.225000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat denial of service"
},
{
"cve": "CVE-2025-52520",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-07-10T20:01:27.937417+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379374"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. For some unlikely configurations of multipart upload, an integer overflow vulnerability may lead to a denial of service via bypassing size limits.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52520"
},
{
"category": "external",
"summary": "RHBZ#2379374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52520"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52520",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52520"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5",
"url": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5"
}
],
"release_date": "2025-07-10T19:05:41.637000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat denial of service"
},
{
"cve": "CVE-2025-53506",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-07-10T20:02:08.548439+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379386"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-53506"
},
{
"category": "external",
"summary": "RHBZ#2379386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53506"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0",
"url": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0"
}
],
"release_date": "2025-07-10T19:14:23.249000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:41:15+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-1:9.0.87-3.el9_6.3.src",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-admin-webapps-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-docs-webapp-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-el-3.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-jsp-2.3-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-lib-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-servlet-4.0-api-1:9.0.87-3.el9_6.3.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:tomcat-webapps-1:9.0.87-3.el9_6.3.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat denial of service"
}
]
}
RHSA-2025:14182
Vulnerability from csaf_redhat - Published: 2025-08-20 15:36 - Updated: 2026-04-30 13:32Summary
Red Hat Security Advisory: tomcat security update
Severity
Important
Notes
Topic: An update for tomcat is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)
* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)
* tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)
* tomcat: Apache Tomcat denial of service (CVE-2025-52520)
* tomcat: Apache Tomcat denial of service (CVE-2025-52434)
* tomcat: Apache Tomcat denial of service (CVE-2025-53506)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.
5.3 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.
5.3 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw has been discovered in path handling logic in Apache Tomcat. When using either PreResources or PostResources mounted on a non-root path, it is possible to access resources via an unexpected path. This may result in leaking of files on those paths.
CWE-288 - Authentication Bypass Using an Alternate Path or ChannelAffected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections.
5.3 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A denial of service flaw was found in Apache Tomcat. For some unlikely configurations of multipart upload, an integer overflow vulnerability may lead to a denial of service via bypassing size limits.
CWE-190 - Integer Overflow or WraparoundAffected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.
5.3 (Medium)
Affected products
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
47 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)\n\n* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)\n\n* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)\n\n* tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-48989)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-52520)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-52434)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-53506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14182",
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2373015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373015"
},
{
"category": "external",
"summary": "2373018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373018"
},
{
"category": "external",
"summary": "2373020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "2379374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379374"
},
{
"category": "external",
"summary": "2379382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
},
{
"category": "external",
"summary": "2379386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379386"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14182.json"
}
],
"title": "Red Hat Security Advisory: tomcat security update",
"tracking": {
"current_release_date": "2026-04-30T13:32:14+00:00",
"generator": {
"date": "2026-04-30T13:32:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:14182",
"initial_release_date": "2025-08-20T15:36:45+00:00",
"revision_history": [
{
"date": "2025-08-20T15:36:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-20T15:36:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:32:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.8::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-1:9.0.87-1.el8_8.7.src",
"product": {
"name": "tomcat-1:9.0.87-1.el8_8.7.src",
"product_id": "tomcat-1:9.0.87-1.el8_8.7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@9.0.87-1.el8_8.7?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-admin-webapps@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-docs-webapp@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-el-3.0-api@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsp-2.3-api@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-lib@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-servlet-4.0-api@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"product": {
"name": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"product_id": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-webapps@9.0.87-1.el8_8.7?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-1.el8_8.7.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src"
},
"product_reference": "tomcat-1:9.0.87-1.el8_8.7.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.8.8)",
"product_id": "AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-1.el8_8.7.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src"
},
"product_reference": "tomcat-1:9.0.87-1.el8_8.7.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch as a component of Red Hat Enterprise Linux AppStream TUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
},
"product_reference": "tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"relates_to_product_reference": "AppStream-8.8.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-06-16T16:00:46.319735+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373020"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-fileupload: Apache Commons FileUpload DoS via part headers",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48976"
},
{
"category": "external",
"summary": "RHBZ#2373020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12",
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf",
"url": "https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf"
}
],
"release_date": "2025-06-16T15:00:48.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-fileupload: Apache Commons FileUpload DoS via part headers"
},
{
"cve": "CVE-2025-48988",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-06-16T15:00:56.878149+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373015"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat DoS in multipart upload",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48988"
},
{
"category": "external",
"summary": "RHBZ#2373015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48988"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18",
"url": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18"
}
],
"release_date": "2025-06-16T14:13:40.457000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat DoS in multipart upload"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-06-18T08:15:11.266000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373309"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48989"
},
{
"category": "external",
"summary": "RHBZ#2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48989"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
},
{
"category": "external",
"summary": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44"
}
],
"release_date": "2025-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames"
},
{
"cve": "CVE-2025-49125",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2025-06-16T15:01:10.747453+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373018"
}
],
"notes": [
{
"category": "description",
"text": "A flaw has been discovered in path handling logic in Apache Tomcat. When using either PreResources or PostResources mounted on a non-root path, it is possible to access resources via an unexpected path. This may result in leaking of files on those paths.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49125"
},
{
"category": "external",
"summary": "RHBZ#2373018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373018"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49125"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk",
"url": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk"
}
],
"release_date": "2025-06-16T14:18:09.610000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources"
},
{
"cve": "CVE-2025-52434",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2025-07-10T20:01:51.277157+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379382"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52434"
},
{
"category": "external",
"summary": "RHBZ#2379382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52434"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030",
"url": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030"
}
],
"release_date": "2025-07-10T19:03:47.225000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat denial of service"
},
{
"cve": "CVE-2025-52520",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-07-10T20:01:27.937417+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379374"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. For some unlikely configurations of multipart upload, an integer overflow vulnerability may lead to a denial of service via bypassing size limits.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52520"
},
{
"category": "external",
"summary": "RHBZ#2379374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52520"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52520",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52520"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5",
"url": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5"
}
],
"release_date": "2025-07-10T19:05:41.637000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat denial of service"
},
{
"cve": "CVE-2025-53506",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-07-10T20:02:08.548439+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379386"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-53506"
},
{
"category": "external",
"summary": "RHBZ#2379386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53506"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0",
"url": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0"
}
],
"release_date": "2025-07-10T19:14:23.249000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:36:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-1:9.0.87-1.el8_8.7.src",
"AppStream-8.8.0.Z.TUS:tomcat-admin-webapps-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-docs-webapp-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-el-3.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-jsp-2.3-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-lib-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-servlet-4.0-api-1:9.0.87-1.el8_8.7.noarch",
"AppStream-8.8.0.Z.TUS:tomcat-webapps-1:9.0.87-1.el8_8.7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat denial of service"
}
]
}
RHSA-2025:14183
Vulnerability from csaf_redhat - Published: 2025-08-20 15:40 - Updated: 2026-04-30 13:32Summary
Red Hat Security Advisory: tomcat security update
Severity
Important
Notes
Topic: An update for tomcat is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)
* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)
* tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)
* tomcat: Apache Tomcat denial of service (CVE-2025-52520)
* tomcat: Apache Tomcat denial of service (CVE-2025-52434)
* tomcat: Apache Tomcat denial of service (CVE-2025-53506)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw has been discovered in path handling logic in Apache Tomcat. When using either PreResources or PostResources mounted on a non-root path, it is possible to access resources via an unexpected path. This may result in leaking of files on those paths.
CWE-288 - Authentication Bypass Using an Alternate Path or ChannelAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A denial of service flaw was found in Apache Tomcat. For some unlikely configurations of multipart upload, an integer overflow vulnerability may lead to a denial of service via bypassing size limits.
CWE-190 - Integer Overflow or WraparoundAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
47 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat DoS in multipart upload (CVE-2025-48988)\n\n* tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)\n\n* apache-commons-fileupload: Apache Commons FileUpload DoS via part headers (CVE-2025-48976)\n\n* tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames (CVE-2025-48989)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-52520)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-52434)\n\n* tomcat: Apache Tomcat denial of service (CVE-2025-53506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:14183",
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2373015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373015"
},
{
"category": "external",
"summary": "2373018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373018"
},
{
"category": "external",
"summary": "2373020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "2379374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379374"
},
{
"category": "external",
"summary": "2379382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
},
{
"category": "external",
"summary": "2379386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379386"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_14183.json"
}
],
"title": "Red Hat Security Advisory: tomcat security update",
"tracking": {
"current_release_date": "2026-04-30T13:32:13+00:00",
"generator": {
"date": "2026-04-30T13:32:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:14183",
"initial_release_date": "2025-08-20T15:40:30+00:00",
"revision_history": [
{
"date": "2025-08-20T15:40:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-20T15:40:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:32:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-1:9.0.87-1.el9_2.6.src",
"product": {
"name": "tomcat-1:9.0.87-1.el9_2.6.src",
"product_id": "tomcat-1:9.0.87-1.el9_2.6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@9.0.87-1.el9_2.6?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-admin-webapps@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-docs-webapp@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-el-3.0-api@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsp-2.3-api@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-lib@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-servlet-4.0-api@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "tomcat-webapps-1:9.0.87-1.el9_2.6.noarch",
"product": {
"name": "tomcat-webapps-1:9.0.87-1.el9_2.6.noarch",
"product_id": "tomcat-webapps-1:9.0.87-1.el9_2.6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-webapps@9.0.87-1.el9_2.6?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-1:9.0.87-1.el9_2.6.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src"
},
"product_reference": "tomcat-1:9.0.87-1.el9_2.6.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-1:9.0.87-1.el9_2.6.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
},
"product_reference": "tomcat-webapps-1:9.0.87-1.el9_2.6.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-06-16T16:00:46.319735+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373020"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-fileupload: Apache Commons FileUpload DoS via part headers",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48976"
},
{
"category": "external",
"summary": "RHBZ#2373020",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12",
"url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf",
"url": "https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf"
}
],
"release_date": "2025-06-16T15:00:48.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-fileupload: Apache Commons FileUpload DoS via part headers"
},
{
"cve": "CVE-2025-48988",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-06-16T15:00:56.878149+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373015"
}
],
"notes": [
{
"category": "description",
"text": "A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat DoS in multipart upload",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48988"
},
{
"category": "external",
"summary": "RHBZ#2373015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48988"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18",
"url": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18"
}
],
"release_date": "2025-06-16T14:13:40.457000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat DoS in multipart upload"
},
{
"cve": "CVE-2025-48989",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-06-18T08:15:11.266000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373309"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48989"
},
{
"category": "external",
"summary": "RHBZ#2373309",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48989"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
},
{
"category": "external",
"summary": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.44"
}
],
"release_date": "2025-08-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames"
},
{
"cve": "CVE-2025-49125",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2025-06-16T15:01:10.747453+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2373018"
}
],
"notes": [
{
"category": "description",
"text": "A flaw has been discovered in path handling logic in Apache Tomcat. When using either PreResources or PostResources mounted on a non-root path, it is possible to access resources via an unexpected path. This may result in leaking of files on those paths.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49125"
},
{
"category": "external",
"summary": "RHBZ#2373018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373018"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49125",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49125"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk",
"url": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk"
}
],
"release_date": "2025-06-16T14:18:09.610000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat: Security constraint bypass for pre/post-resources"
},
{
"cve": "CVE-2025-52434",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2025-07-10T20:01:51.277157+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379382"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52434"
},
{
"category": "external",
"summary": "RHBZ#2379382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52434",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52434"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030",
"url": "https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030"
}
],
"release_date": "2025-07-10T19:03:47.225000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat denial of service"
},
{
"cve": "CVE-2025-52520",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2025-07-10T20:01:27.937417+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379374"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. For some unlikely configurations of multipart upload, an integer overflow vulnerability may lead to a denial of service via bypassing size limits.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-52520"
},
{
"category": "external",
"summary": "RHBZ#2379374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-52520",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52520"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52520",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52520"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5",
"url": "https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5"
}
],
"release_date": "2025-07-10T19:05:41.637000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "tomcat: Apache Tomcat denial of service"
},
{
"cve": "CVE-2025-53506",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2025-07-10T20:02:08.548439+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379386"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: Apache Tomcat denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-53506"
},
{
"category": "external",
"summary": "RHBZ#2379386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-53506",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53506"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-53506",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53506"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0",
"url": "https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0"
}
],
"release_date": "2025-07-10T19:14:23.249000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-20T15:40:30+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-1:9.0.87-1.el9_2.6.src",
"AppStream-9.2.0.Z.E4S:tomcat-admin-webapps-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-docs-webapp-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-el-3.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-jsp-2.3-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-lib-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-servlet-4.0-api-1:9.0.87-1.el9_2.6.noarch",
"AppStream-9.2.0.Z.E4S:tomcat-webapps-1:9.0.87-1.el9_2.6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tomcat: Apache Tomcat denial of service"
}
]
}
SUSE-SU-2025:02159-1
Vulnerability from csaf_suse - Published: 2025-06-27 14:56 - Updated: 2025-06-27 14:56Summary
Security update for apache-commons-fileupload
Severity
Important
Notes
Title of the patch: Security update for apache-commons-fileupload
Description of the patch: This update for apache-commons-fileupload fixes the following issues:
Upgrade to upstream version 1.6.0
- CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657).
Full changelog:
https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0
Patchnames: SUSE-2025-2159,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2159,SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2159,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-2159,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-2159,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-2159,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-2159,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-2159,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-2159,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-2159,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2159,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-2159,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-2159,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2159,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-2159,SUSE-Storage-7.1-2025-2159,openSUSE-SLE-15.6-2025-2159
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 7.1:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Server 4.3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-commons-fileupload",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-commons-fileupload fixes the following issues:\nUpgrade to upstream version 1.6.0\n\n- CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657).\n\nFull changelog:\n\nhttps://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2159,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2159,SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2159,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-2159,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-2159,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-2159,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-2159,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-2159,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-2159,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-2159,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2159,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-2159,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-2159,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2159,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-2159,SUSE-Storage-7.1-2025-2159,openSUSE-SLE-15.6-2025-2159",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02159-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02159-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502159-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02159-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-June/040534.html"
},
{
"category": "self",
"summary": "SUSE Bug 1244657",
"url": "https://bugzilla.suse.com/1244657"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48976 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48976/"
}
],
"title": "Security update for apache-commons-fileupload",
"tracking": {
"current_release_date": "2025-06-27T14:56:05Z",
"generator": {
"date": "2025-06-27T14:56:05Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02159-1",
"initial_release_date": "2025-06-27T14:56:05Z",
"revision_history": [
{
"date": "2025-06-27T14:56:05Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"product": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"product_id": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch",
"product": {
"name": "apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch",
"product_id": "apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server 4.3",
"product": {
"name": "SUSE Manager Server 4.3",
"product_id": "SUSE Manager Server 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-manager-server:4.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 7.1",
"product": {
"name": "SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:7.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Manager Server 4.3",
"product_id": "SUSE Manager Server 4.3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Manager Server 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch"
},
"product_reference": "apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48976"
}
],
"notes": [
{
"category": "general",
"text": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\n\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\n\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 7.1:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Manager Server 4.3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48976",
"url": "https://www.suse.com/security/cve/CVE-2025-48976"
},
{
"category": "external",
"summary": "SUSE Bug 1244657 for CVE-2025-48976",
"url": "https://bugzilla.suse.com/1244657"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 7.1:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Manager Server 4.3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 7.1:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"SUSE Manager Server 4.3:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-fileupload-1.6.0-150200.3.12.1.noarch",
"openSUSE Leap 15.6:apache-commons-fileupload-javadoc-1.6.0-150200.3.12.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-06-27T14:56:05Z",
"details": "important"
}
],
"title": "CVE-2025-48976"
}
]
}
SUSE-SU-2025:02184-1
Vulnerability from csaf_suse - Published: 2025-07-01 08:14 - Updated: 2025-07-01 08:14Summary
Security update for jakarta-commons-fileupload
Severity
Important
Notes
Title of the patch: Security update for jakarta-commons-fileupload
Description of the patch: This update for jakarta-commons-fileupload fixes the following issues:
Upgrade to upstream version 1.6.0
- CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657).
Full changelog:
https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0
Patchnames: SUSE-2025-2184,SUSE-SLE-SERVER-12-SP5-LTSS-2025-2184,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2184
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-1.6.0-126.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-1.6.0-126.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jakarta-commons-fileupload",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jakarta-commons-fileupload fixes the following issues:\n\nUpgrade to upstream version 1.6.0\n\n- CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657).\n\nFull changelog:\n\nhttps://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-2184,SUSE-SLE-SERVER-12-SP5-LTSS-2025-2184,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2184",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_02184-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:02184-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202502184-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:02184-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-July/040575.html"
},
{
"category": "self",
"summary": "SUSE Bug 1244657",
"url": "https://bugzilla.suse.com/1244657"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48976 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48976/"
}
],
"title": "Security update for jakarta-commons-fileupload",
"tracking": {
"current_release_date": "2025-07-01T08:14:12Z",
"generator": {
"date": "2025-07-01T08:14:12Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:02184-1",
"initial_release_date": "2025-07-01T08:14:12Z",
"revision_history": [
{
"date": "2025-07-01T08:14:12Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"product": {
"name": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"product_id": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch"
}
},
{
"category": "product_version",
"name": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"product": {
"name": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"product_id": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 12 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 12 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:12:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss-extended-security:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-1.6.0-126.3.1.noarch"
},
"product_reference": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch as component of SUSE Linux Enterprise Server 12 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch"
},
"product_reference": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-1.6.0-126.3.1.noarch"
},
"product_reference": "jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch as component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5",
"product_id": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch"
},
"product_reference": "jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server LTSS Extended Security 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48976"
}
],
"notes": [
{
"category": "general",
"text": "Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.\n\nThis issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.\n\nUsers are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48976",
"url": "https://www.suse.com/security/cve/CVE-2025-48976"
},
{
"category": "external",
"summary": "SUSE Bug 1244657 for CVE-2025-48976",
"url": "https://bugzilla.suse.com/1244657"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server 12 SP5-LTSS:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-1.6.0-126.3.1.noarch",
"SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:jakarta-commons-fileupload-javadoc-1.6.0-126.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-01T08:14:12Z",
"details": "important"
}
],
"title": "CVE-2025-48976"
}
]
}
WID-SEC-W-2025-1334
Vulnerability from csaf_certbund - Published: 2025-06-16 22:00 - Updated: 2026-01-07 23:00Summary
Apache Commons FileUpload: Schwachstelle ermöglicht Denial of Service
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.
Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons FileUpload ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme: - Linux
- MacOS X
- UNIX
- Windows
Affected products
Known affected
75 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
IBM MQ <9.4.0.16
IBM / MQ
|
<9.4.0.16 | ||
|
Atlassian Jira Data Center and Server <10.3.10
Atlassian / Jira
|
Data Center and Server <10.3.10 | ||
|
IBM MQ <9.2.0.38
IBM / MQ
|
<9.2.0.38 | ||
|
Atlassian Jira Data Center and Server <10.7.3
Atlassian / Jira
|
Data Center and Server <10.7.3 | ||
|
IBM Security Verify Access <v11.0.2
IBM / Security Verify Access
|
<v11.0.2 | ||
|
IBM MQ <9.1.0.32
IBM / MQ
|
<9.1.0.32 | ||
|
Atlassian Jira Data Center and Server <11.2.0
Atlassian / Jira
|
Data Center and Server <11.2.0 | ||
|
HCL Commerce
HCL / Commerce
|
cpe:/a:hcltechsw:commerce:-
|
— | |
|
Xerox FreeFlow Print Server v7
Xerox / FreeFlow Print Server
|
cpe:/a:xerox:freeflow_print_server:v7
|
v7 | |
|
Oracle Linux
Oracle
|
cpe:/o:oracle:linux:-
|
— | |
|
IBM WebSphere Application Server 8.5
IBM / WebSphere Application Server
|
cpe:/a:ibm:websphere_application_server:8.5
|
8.5 | |
|
IBM WebSphere Application Server 9.0
IBM / WebSphere Application Server
|
cpe:/a:ibm:websphere_application_server:9.0
|
9 | |
|
IBM QRadar SIEM
IBM
|
cpe:/a:ibm:qradar_siem:-
|
— | |
|
Amazon Linux 2
Amazon
|
cpe:/o:amazon:linux_2:-
|
— | |
|
IBM MQ <9.4.4.0
IBM / MQ
|
<9.4.4.0 | ||
|
Atlassian Jira Data Center and Server <9.12.26
Atlassian / Jira
|
Data Center and Server <9.12.26 | ||
|
IBM DevOps Code ClearCase 11.0
IBM / DevOps Code ClearCase
|
cpe:/a:ibm:devops_code_clearcase:11.0
|
11 | |
|
Atlassian Jira Service Management Data Center and Server <10.3.10
Atlassian / Jira
|
Service Management Data Center and Server <10.3.10 | ||
|
Atlassian Jira Service Management Data Center and Server <5.12.26
Atlassian / Jira
|
Service Management Data Center and Server <5.12.26 | ||
|
IBM TXSeries Multiplatforms
IBM / TXSeries
|
cpe:/a:ibm:txseries:multiplatforms
|
Multiplatforms | |
|
IBM InfoSphere Information Server
IBM / InfoSphere Information Server
|
cpe:/a:ibm:infosphere_information_server:-
|
— | |
|
Absolute Secure Access <13.56
Absolute / Secure Access
|
<13.56 | ||
|
IBM SPSS Collaboration and Deployment Services
IBM / SPSS
|
cpe:/a:ibm:spss:collaboration_and_deployment_services
|
Collaboration and Deployment Services | |
|
IBM Rational ClearCase 9.1
IBM / Rational ClearCase
|
cpe:/a:ibm:rational_clearcase:9.1
|
9.1 | |
|
HCL BigFix
HCL
|
cpe:/a:hcltech:bigfix:inventory
|
— | |
|
Dell PowerProtect Data Domain
Dell
|
cpe:/a:dell:powerprotect_data_domain:-
|
— | |
|
HCL Commerce <9.1.18.2
HCL / Commerce
|
<9.1.18.2 | ||
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Apache Commons FileUpload <2.0.0-M4
Apache / Commons
|
FileUpload <2.0.0-M4 | ||
|
Apache Commons FileUpload <1.6
Apache / Commons
|
FileUpload <1.6 | ||
|
IBM InfoSphere Information Server 11.7
IBM / InfoSphere Information Server
|
cpe:/a:ibm:infosphere_information_server:11.7
|
11.7 | |
|
IBM Tivoli Netcool/OMNIbus
IBM
|
cpe:/a:ibm:tivoli_netcool%2fomnibus:-
|
— | |
|
IBM Tivoli Key Lifecycle Manager
IBM
|
cpe:/a:ibm:tivoli_key_lifecycle_manager:-
|
— | |
|
IBM Security Verify Access <v10.0.9.1
IBM / Security Verify Access
|
<v10.0.9.1 | ||
|
Dell NetWorker Management Web UI <19.13.0.2
Dell / NetWorker
|
Management Web UI <19.13.0.2 | ||
|
IBM WebSphere Service Registry and Repository 8.5
IBM / WebSphere Service Registry and Repository
|
cpe:/a:ibm:websphere_service_registry_and_repository:8.5
|
8.5 | |
|
Dell NetWorker Management Console <19.13.0.2
Dell / NetWorker
|
Management Console <19.13.0.2 | ||
|
NetApp ActiveIQ Unified Manager for VMware vSphere
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere
|
for VMware vSphere | |
|
SAS Institute Base SAS <9.4M9 (TS1M9)
SAS Institute / Base SAS
|
<9.4M9 (TS1M9) | ||
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— | |
|
IBM SPSS Analytic Server
IBM / SPSS
|
cpe:/a:ibm:spss:analytic_server
|
Analytic Server | |
|
IBM License Metric Tool
IBM
|
cpe:/a:ibm:license_metric_tool:-
|
— | |
|
IBM MQ
IBM / MQ
|
cpe:/a:ibm:mq:operator
|
— | |
|
IBM Storage Scale <5.2.3.3
IBM / Storage Scale
|
<5.2.3.3 | ||
|
Atlassian Bamboo <10.2.6 (LTS)
Atlassian / Bamboo
|
<10.2.6 (LTS) | ||
|
Atlassian Bamboo <11.0.3
Atlassian / Bamboo
|
<11.0.3 | ||
|
Atlassian Bamboo <9.6.15 (LTS)
Atlassian / Bamboo
|
<9.6.15 (LTS) | ||
|
NetApp ActiveIQ Unified Manager for Microsoft Windows
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows
|
for Microsoft Windows | |
|
F5 BIG-IP
F5
|
cpe:/a:f5:big-ip:-
|
— | |
|
IBM Operational Decision Manager
IBM
|
cpe:/a:ibm:operational_decision_manager:-
|
— | |
|
IBM Business Automation Workflow
IBM / Business Automation Workflow
|
cpe:/a:ibm:business_automation_workflow:containers
|
— | |
|
IBM FileNet Content Manager
IBM
|
cpe:/a:ibm:filenet_content_manager:-
|
— | |
|
IBM Business Automation Workflow 25.0.0
IBM / Business Automation Workflow
|
cpe:/a:ibm:business_automation_workflow:25.0.0
|
25.0.0 | |
|
IBM Integration Bus for z/OS 10.1.0.0-10.1.0.5
IBM / Integration Bus
|
cpe:/a:ibm:integration_bus:10.1.0.0_-_10.1.0.5::zos
|
for z/OS 10.1.0.0-10.1.0.5 | |
|
IBM Business Automation Workflow 24.0.1
IBM / Business Automation Workflow
|
cpe:/a:ibm:business_automation_workflow:24.0.1
|
24.0.1 | |
|
Red Hat JBoss Web Server <6.1.1
Red Hat / JBoss Web Server
|
<6.1.1 | ||
|
IBM Tivoli Network Manager IP Edition <4.2 Fix Pack 23
IBM / Tivoli Network Manager
|
IP Edition <4.2 Fix Pack 23 | ||
|
IBM Rational ClearCase 10.0.0
IBM / Rational ClearCase
|
cpe:/a:ibm:rational_clearcase:10.0.0
|
10.0.0 | |
|
IBM Tivoli Business Service Manager
IBM
|
cpe:/a:ibm:tivoli_business_service_manager:-
|
— | |
|
RESF Rocky Linux
RESF
|
cpe:/o:resf:rocky_linux:-
|
— | |
|
NetApp ActiveIQ Unified Manager for Linux
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_linux
|
for Linux | |
|
IBM InfoSphere Identity Insight 9.0
IBM / InfoSphere Identity Insight
|
cpe:/a:ibm:infosphere_identity_insight:9.0
|
9 | |
|
IBM Business Automation Workflow
IBM / Business Automation Workflow
|
cpe:/a:ibm:business_automation_workflow:-
|
— | |
|
IBM Business Automation Workflow 24.0.0
IBM / Business Automation Workflow
|
cpe:/a:ibm:business_automation_workflow:24.0.0
|
24.0.0 | |
|
Atlassian Jira Service Management Data Center and Server <11.2.0
Atlassian / Jira
|
Service Management Data Center and Server <11.2.0 | ||
|
IBM InfoSphere Identity Insight 10.0
IBM / InfoSphere Identity Insight
|
cpe:/a:ibm:infosphere_identity_insight:10.0
|
10 | |
|
IBM InfoSphere Identity Insight 9.1
IBM / InfoSphere Identity Insight
|
cpe:/a:ibm:infosphere_identity_insight:9.1
|
9.1 | |
|
IBM Spectrum Protect Operations Center <8.1.27.100
IBM / Spectrum Protect
|
Operations Center <8.1.27.100 | ||
|
Atlassian Jira Service Management Data Center and Server <10.7.3
Atlassian / Jira
|
Service Management Data Center and Server <10.7.3 | ||
|
IBM WebSphere Application Server Liberty 17.0.0.3-25.0.0.8
IBM / WebSphere Application Server
|
cpe:/a:ibm:websphere_application_server:17.0.0.3_-_25.0.0.8::liberty
|
Liberty 17.0.0.3-25.0.0.8 | |
|
IBM Tivoli Monitoring <6.3.0.7 SP 5
IBM / Tivoli Monitoring
|
<6.3.0.7 SP 5 | ||
|
IBM Storage Scale <5.1.9.12
IBM / Storage Scale
|
<5.1.9.12 | ||
|
Atlassian Crucible <4.9.3
Atlassian / Crucible
|
<4.9.3 | ||
|
Dell Secure Connect Gateway Appliance <5.32.00.18
Dell / Secure Connect Gateway
|
Appliance <5.32.00.18 |
References
75 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Commons FileUpload ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1334 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1334.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1334 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1334"
},
{
"category": "external",
"summary": "Mailing list OSS Security vom 2025-06-16",
"url": "https://seclists.org/oss-sec/2025/q2/255"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-vv7r-c36w-3prj vom 2025-06-16",
"url": "https://github.com/advisories/GHSA-vv7r-c36w-3prj"
},
{
"category": "external",
"summary": "Red Hat Bugtracker #2373020 vom 2025-06-16",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373020"
},
{
"category": "external",
"summary": "PoC CVE-2025-48988 \u0026 CVE-2025-48976 vom 2025-06-20",
"url": "https://github.com/Samb102/POC-CVE-2025-48988-CVE-2025-48976"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02159-1 vom 2025-06-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021698.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02184-1 vom 2025-07-01",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-July/021733.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2-2025-2920 vom 2025-07-10",
"url": "https://alas.aws.amazon.com/AL2/ALAS2-2025-2920.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2TOMCAT9-2025-020 vom 2025-07-10",
"url": "https://alas.aws.amazon.com/AL2/ALAS2TOMCAT9-2025-020.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7239768 vom 2025-07-15",
"url": "https://www.ibm.com/support/pages/node/7239768"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7239757 vom 2025-07-15",
"url": "https://www.ibm.com/support/pages/node/7239757"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin - July 15 2025",
"url": "https://confluence.atlassian.com/security/security-bulletin-july-15-2025-1590658642.html"
},
{
"category": "external",
"summary": "F5 Security Advisory K000152614 vom 2025-07-17",
"url": "https://my.f5.com/manage/s/article/K000152614"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4245 vom 2025-07-22",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4244 vom 2025-07-22",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11695 vom 2025-07-28",
"url": "https://access.redhat.com/errata/RHSA-2025:11695"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11696 vom 2025-07-28",
"url": "https://access.redhat.com/errata/RHSA-2025:11696"
},
{
"category": "external",
"summary": "Absolute Security Information vom 2025-07-30",
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/secure-access-1356"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11741 vom 2025-07-30",
"url": "https://access.redhat.com/errata/RHSA-2025:11741"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:11742 vom 2025-07-30",
"url": "https://access.redhat.com/errata/RHSA-2025:11742"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2025-08-05",
"url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=4cd4383f3bcb26d828f8f547f4e45af6"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7242088 vom 2025-08-13",
"url": "https://www.ibm.com/support/pages/node/7242088"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7242150 vom 2025-08-14",
"url": "https://www.ibm.com/support/pages/node/7242150"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7242269 vom 2025-08-15",
"url": "https://www.ibm.com/support/pages/node/7242269"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14183 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14183"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14181 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14181"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14177 vom 2025-08-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-14177.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14178 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14178"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14179 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14179"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14182 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14182"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14180 vom 2025-08-21",
"url": "https://access.redhat.com/errata/RHSA-2025:14180"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:14177 vom 2025-08-20",
"url": "https://access.redhat.com/errata/RHSA-2025:14177"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14181 vom 2025-08-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-14181.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14178 vom 2025-08-21",
"url": "https://linux.oracle.com/errata/ELSA-2025-14178.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-14179 vom 2025-08-22",
"url": "https://linux.oracle.com/errata/ELSA-2025-14179.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7243542 vom 2025-08-29",
"url": "https://www.ibm.com/support/pages/node/7243542"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7243781 vom 2025-09-02",
"url": "https://www.ibm.com/support/pages/node/7243781"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:14177 vom 2025-09-08",
"url": "https://errata.build.resf.org/RLSA-2025:14177"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7244395 vom 2025-09-09",
"url": "https://www.ibm.com/support/pages/node/7244395"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7244610 vom 2025-09-11",
"url": "https://www.ibm.com/support/pages/node/7244610"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7244759 vom 2025-09-12",
"url": "https://www.ibm.com/support/pages/node/7244759"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7245133 vom 2025-09-16",
"url": "https://www.ibm.com/support/pages/node/7245133"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7245567 vom 2025-09-19",
"url": "https://www.ibm.com/support/pages/node/7245567"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7245706 vom 2025-09-22",
"url": "https://www.ibm.com/support/pages/node/7245706"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7245647 vom 2025-09-20",
"url": "https://www.ibm.com/support/pages/node/7245647"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2025-09-26",
"url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=434140d4fb5cfa90db10f2797befdc4a"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7246164 vom 2025-09-29",
"url": "https://www.ibm.com/support/pages/node/7246164"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7247015 vom 2025-10-03",
"url": "https://www.ibm.com/support/pages/node/7247015"
},
{
"category": "external",
"summary": "SAS Security Update vom 2025-10-02",
"url": "https://support.sas.com/en/security-bulletins/sas-security-update-for-sas-94m9-ts1m9.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7247771 vom 2025-10-13",
"url": "https://www.ibm.com/support/pages/node/7247771"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7247770 vom 2025-10-13",
"url": "https://www.ibm.com/support/pages/node/7247770"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7247935 vom 2025-10-14",
"url": "https://www.ibm.com/support/pages/node/7247935"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin",
"url": "https://jira.atlassian.com/browse/CRUC-8667"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7248944 vom 2025-10-23",
"url": "https://www.ibm.com/support/pages/node/7248944"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7249056 vom 2025-10-24",
"url": "https://www.ibm.com/support/pages/node/7249056"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7248784 vom 2025-10-23",
"url": "https://www.ibm.com/support/pages/node/7248784"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2025-10-24",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0123933"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7249764 vom 2025-10-31",
"url": "https://www.ibm.com/support/pages/node/7249764"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2025-390 vom 2025-11-05",
"url": "https://www.dell.com/support/kbdoc/000385230"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7250258 vom 2025-11-06",
"url": "https://www.ibm.com/support/pages/node/7250258"
},
{
"category": "external",
"summary": "NetApp Security Advisory NTAP-20251107-0004 vom 2025-11-07",
"url": "https://security.netapp.com/advisory/NTAP-20251107-0004"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7249994 vom 2025-11-12",
"url": "https://www.ibm.com/support/pages/node/7249994"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7251247 vom 2025-11-14",
"url": "https://www.ibm.com/support/pages/node/7251247"
},
{
"category": "external",
"summary": "XEROX Security Advisory XRX25-018 vom 2025-11-18",
"url": "https://security.business.xerox.com/wp-content/uploads/2025/11/Xerox-Security-Bulletin-XRX25-018-Xerox-FreeFlow-Print-Server-v7.pdf"
},
{
"category": "external",
"summary": "Jira Security Advisory",
"url": "https://jira.atlassian.com/browse/JSWSERVER-26537"
},
{
"category": "external",
"summary": "Jira Security Advisory",
"url": "https://jira.atlassian.com/browse/JSDSERVER-16435"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7252567 vom 2025-11-26",
"url": "https://www.ibm.com/support/pages/node/7252567"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7239588 vom 2025-11-26",
"url": "https://www.ibm.com/support/pages/node/7239588"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2025-365 vom 2025-12-01",
"url": "https://www.dell.com/support/kbdoc/de-de/000397532/dsa-2025-365-security-update-for-dell-networker-multiple-third-party-component-vulnerabilities"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7254321 vom 2025-12-10",
"url": "https://www.ibm.com/support/pages/node/7254321"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7255033 vom 2025-12-17",
"url": "https://www.ibm.com/support/pages/node/7255033"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2025-415 vom 2025-12-22",
"url": "https://www.dell.com/support/kbdoc/000405813"
},
{
"category": "external",
"summary": "HCL Security Bulletin vom 2025-12-20",
"url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=e990462f33fd7290159a05273e5c7b9c"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7256452 vom 2026-01-07",
"url": "https://www.ibm.com/support/pages/node/7256452"
}
],
"source_lang": "en-US",
"title": "Apache Commons FileUpload: Schwachstelle erm\u00f6glicht Denial of Service",
"tracking": {
"current_release_date": "2026-01-07T23:00:00.000+00:00",
"generator": {
"date": "2026-01-08T08:12:24.214+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-1334",
"initial_release_date": "2025-06-16T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-06-16T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-06-19T22:00:00.000+00:00",
"number": "2",
"summary": "PoC aufgenommen"
},
{
"date": "2025-06-29T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-07-01T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-07-10T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2025-07-15T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-07-17T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von F5 aufgenommen"
},
{
"date": "2025-07-21T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-07-28T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-29T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-07-30T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-08-05T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2025-08-13T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
},
{
"date": "2025-08-14T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-08-20T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2025-08-21T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-08-24T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-08-28T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-02T22:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-08T22:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
},
{
"date": "2025-09-09T22:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-10T22:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-11T22:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-16T22:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-21T22:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-09-25T22:00:00.000+00:00",
"number": "26",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2025-09-29T22:00:00.000+00:00",
"number": "27",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-10-05T22:00:00.000+00:00",
"number": "28",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-10-13T22:00:00.000+00:00",
"number": "29",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-10-14T22:00:00.000+00:00",
"number": "30",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "31",
"summary": "Neue Updates von Atlassian aufgenommen"
},
{
"date": "2025-10-23T22:00:00.000+00:00",
"number": "32",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-10-26T23:00:00.000+00:00",
"number": "33",
"summary": "Neue Updates von HCL aufgenommen"
},
{
"date": "2025-11-02T23:00:00.000+00:00",
"number": "34",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-04T23:00:00.000+00:00",
"number": "35",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2025-11-05T23:00:00.000+00:00",
"number": "36",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-06T23:00:00.000+00:00",
"number": "37",
"summary": "Neue Updates von NetApp aufgenommen"
},
{
"date": "2025-11-11T23:00:00.000+00:00",
"number": "38",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-16T23:00:00.000+00:00",
"number": "39",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-17T23:00:00.000+00:00",
"number": "40",
"summary": "Neue Updates von XEROX aufgenommen"
},
{
"date": "2025-11-18T23:00:00.000+00:00",
"number": "41",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-11-25T23:00:00.000+00:00",
"number": "42",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-26T23:00:00.000+00:00",
"number": "43",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-11-30T23:00:00.000+00:00",
"number": "44",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2025-12-10T23:00:00.000+00:00",
"number": "45",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-12-16T23:00:00.000+00:00",
"number": "46",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2025-12-21T23:00:00.000+00:00",
"number": "47",
"summary": "Neue Updates von Dell und HCL aufgenommen"
},
{
"date": "2026-01-07T23:00:00.000+00:00",
"number": "48",
"summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
}
],
"status": "final",
"version": "48"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c13.56",
"product": {
"name": "Absolute Secure Access \u003c13.56",
"product_id": "T045729"
}
},
{
"category": "product_version",
"name": "13.56",
"product": {
"name": "Absolute Secure Access 13.56",
"product_id": "T045729-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:absolute:secure_access:13.56"
}
}
}
],
"category": "product_name",
"name": "Secure Access"
}
],
"category": "vendor",
"name": "Absolute"
},
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "FileUpload \u003c1.6",
"product": {
"name": "Apache Commons FileUpload \u003c1.6",
"product_id": "T044646"
}
},
{
"category": "product_version",
"name": "FileUpload 1.6",
"product": {
"name": "Apache Commons FileUpload 1.6",
"product_id": "T044646-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:commons:1.6::fileupload"
}
}
},
{
"category": "product_version_range",
"name": "FileUpload \u003c2.0.0-M4",
"product": {
"name": "Apache Commons FileUpload \u003c2.0.0-M4",
"product_id": "T044647"
}
},
{
"category": "product_version",
"name": "FileUpload 2.0.0-M4",
"product": {
"name": "Apache Commons FileUpload 2.0.0-M4",
"product_id": "T044647-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:commons:2.0.0-m4::fileupload"
}
}
}
],
"category": "product_name",
"name": "Commons"
}
],
"category": "vendor",
"name": "Apache"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c11.0.3",
"product": {
"name": "Atlassian Bamboo \u003c11.0.3",
"product_id": "T045447"
}
},
{
"category": "product_version",
"name": "11.0.3",
"product": {
"name": "Atlassian Bamboo 11.0.3",
"product_id": "T045447-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:11.0.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.2.6 (LTS)",
"product": {
"name": "Atlassian Bamboo \u003c10.2.6 (LTS)",
"product_id": "T045448"
}
},
{
"category": "product_version",
"name": "10.2.6 (LTS)",
"product": {
"name": "Atlassian Bamboo 10.2.6 (LTS)",
"product_id": "T045448-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:10.2.6_%28lts%29"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.6.15 (LTS)",
"product": {
"name": "Atlassian Bamboo \u003c9.6.15 (LTS)",
"product_id": "T045449"
}
},
{
"category": "product_version",
"name": "9.6.15 (LTS)",
"product": {
"name": "Atlassian Bamboo 9.6.15 (LTS)",
"product_id": "T045449-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:9.6.15_%28lts%29"
}
}
}
],
"category": "product_name",
"name": "Bamboo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.9.3",
"product": {
"name": "Atlassian Crucible \u003c4.9.3",
"product_id": "T048026"
}
},
{
"category": "product_version",
"name": "4.9.3",
"product": {
"name": "Atlassian Crucible 4.9.3",
"product_id": "T048026-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:crucible:4.9.3"
}
}
}
],
"category": "product_name",
"name": "Crucible"
},
{
"branches": [
{
"category": "product_version_range",
"name": "Data Center and Server \u003c11.2.0",
"product": {
"name": "Atlassian Jira Data Center and Server \u003c11.2.0",
"product_id": "T048690"
}
},
{
"category": "product_version",
"name": "Data Center and Server 11.2.0",
"product": {
"name": "Atlassian Jira Data Center and Server 11.2.0",
"product_id": "T048690-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:data_center_and_server__11.2.0"
}
}
},
{
"category": "product_version_range",
"name": "Data Center and Server \u003c10.7.3",
"product": {
"name": "Atlassian Jira Data Center and Server \u003c10.7.3",
"product_id": "T048691"
}
},
{
"category": "product_version",
"name": "Data Center and Server 10.7.3",
"product": {
"name": "Atlassian Jira Data Center and Server 10.7.3",
"product_id": "T048691-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:data_center_and_server__10.7.3"
}
}
},
{
"category": "product_version_range",
"name": "Data Center and Server \u003c10.3.10",
"product": {
"name": "Atlassian Jira Data Center and Server \u003c10.3.10",
"product_id": "T048692"
}
},
{
"category": "product_version",
"name": "Data Center and Server 10.3.10",
"product": {
"name": "Atlassian Jira Data Center and Server 10.3.10",
"product_id": "T048692-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:data_center_and_server__10.3.10"
}
}
},
{
"category": "product_version_range",
"name": "Data Center and Server \u003c9.12.26",
"product": {
"name": "Atlassian Jira Data Center and Server \u003c9.12.26",
"product_id": "T048693"
}
},
{
"category": "product_version",
"name": "Data Center and Server 9.12.26",
"product": {
"name": "Atlassian Jira Data Center and Server 9.12.26",
"product_id": "T048693-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:data_center_and_server__9.12.26"
}
}
},
{
"category": "product_version_range",
"name": "Service Management Data Center and Server \u003c5.12.26",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server \u003c5.12.26",
"product_id": "T048698"
}
},
{
"category": "product_version",
"name": "Service Management Data Center and Server 5.12.26",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server 5.12.26",
"product_id": "T048698-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:service_management_data_center_and_server___5.12.26"
}
}
},
{
"category": "product_version_range",
"name": "Service Management Data Center and Server \u003c10.3.10",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server \u003c10.3.10",
"product_id": "T048699"
}
},
{
"category": "product_version",
"name": "Service Management Data Center and Server 10.3.10",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server 10.3.10",
"product_id": "T048699-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:service_management_data_center_and_server___10.3.10"
}
}
},
{
"category": "product_version_range",
"name": "Service Management Data Center and Server \u003c10.7.3",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server \u003c10.7.3",
"product_id": "T048700"
}
},
{
"category": "product_version",
"name": "Service Management Data Center and Server 10.7.3",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server 10.7.3",
"product_id": "T048700-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:service_management_data_center_and_server__10.7.3"
}
}
},
{
"category": "product_version_range",
"name": "Service Management Data Center and Server \u003c11.2.0",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server \u003c11.2.0",
"product_id": "T048701"
}
},
{
"category": "product_version",
"name": "Service Management Data Center and Server 11.2.0",
"product": {
"name": "Atlassian Jira Service Management Data Center and Server 11.2.0",
"product_id": "T048701-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:service_management_data_center_and_server__11.2.0"
}
}
}
],
"category": "product_name",
"name": "Jira"
}
],
"category": "vendor",
"name": "Atlassian"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Management Console \u003c19.13.0.2",
"product": {
"name": "Dell NetWorker Management Console \u003c19.13.0.2",
"product_id": "T048961"
}
},
{
"category": "product_version",
"name": "Management Console 19.13.0.2",
"product": {
"name": "Dell NetWorker Management Console 19.13.0.2",
"product_id": "T048961-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:management_console__19.13.0.2"
}
}
},
{
"category": "product_version_range",
"name": "Management Web UI \u003c19.13.0.2",
"product": {
"name": "Dell NetWorker Management Web UI \u003c19.13.0.2",
"product_id": "T048962"
}
},
{
"category": "product_version",
"name": "Management Web UI 19.13.0.2",
"product": {
"name": "Dell NetWorker Management Web UI 19.13.0.2",
"product_id": "T048962-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:networker:management_web_ui__19.13.0.2"
}
}
}
],
"category": "product_name",
"name": "NetWorker"
},
{
"category": "product_name",
"name": "Dell PowerProtect Data Domain",
"product": {
"name": "Dell PowerProtect Data Domain",
"product_id": "T045852",
"product_identification_helper": {
"cpe": "cpe:/a:dell:powerprotect_data_domain:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "Appliance \u003c5.32.00.18",
"product": {
"name": "Dell Secure Connect Gateway Appliance \u003c5.32.00.18",
"product_id": "T048301"
}
},
{
"category": "product_version",
"name": "Appliance 5.32.00.18",
"product": {
"name": "Dell Secure Connect Gateway Appliance 5.32.00.18",
"product_id": "T048301-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:secure_connect_gateway:appliance__5.32.00.18"
}
}
}
],
"category": "product_name",
"name": "Secure Connect Gateway"
}
],
"category": "vendor",
"name": "Dell"
},
{
"branches": [
{
"category": "product_name",
"name": "F5 BIG-IP",
"product": {
"name": "F5 BIG-IP",
"product_id": "T001663",
"product_identification_helper": {
"cpe": "cpe:/a:f5:big-ip:-"
}
}
}
],
"category": "vendor",
"name": "F5"
},
{
"branches": [
{
"category": "product_name",
"name": "HCL BigFix",
"product": {
"name": "HCL BigFix",
"product_id": "T036271",
"product_identification_helper": {
"cpe": "cpe:/a:hcltech:bigfix:inventory"
}
}
},
{
"branches": [
{
"category": "product_name",
"name": "HCL Commerce",
"product": {
"name": "HCL Commerce",
"product_id": "T019294",
"product_identification_helper": {
"cpe": "cpe:/a:hcltechsw:commerce:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.1.18.2",
"product": {
"name": "HCL Commerce \u003c9.1.18.2",
"product_id": "T045896"
}
},
{
"category": "product_version",
"name": "9.1.18.2",
"product": {
"name": "HCL Commerce 9.1.18.2",
"product_id": "T045896-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:hcltechsw:commerce:9.1.18.2"
}
}
}
],
"category": "product_name",
"name": "Commerce"
}
],
"category": "vendor",
"name": "HCL"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM Business Automation Workflow",
"product": {
"name": "IBM Business Automation Workflow",
"product_id": "T024464",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:containers"
}
}
},
{
"category": "product_version",
"name": "24.0.0",
"product": {
"name": "IBM Business Automation Workflow 24.0.0",
"product_id": "T036570",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:24.0.0"
}
}
},
{
"category": "product_name",
"name": "IBM Business Automation Workflow",
"product": {
"name": "IBM Business Automation Workflow",
"product_id": "T043411",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:-"
}
}
},
{
"category": "product_version",
"name": "24.0.1",
"product": {
"name": "IBM Business Automation Workflow 24.0.1",
"product_id": "T049760",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:24.0.1"
}
}
},
{
"category": "product_version",
"name": "25.0.0",
"product": {
"name": "IBM Business Automation Workflow 25.0.0",
"product_id": "T049761",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:business_automation_workflow:25.0.0"
}
}
}
],
"category": "product_name",
"name": "Business Automation Workflow"
},
{
"branches": [
{
"category": "product_version",
"name": "11",
"product": {
"name": "IBM DevOps Code ClearCase 11.0",
"product_id": "T046313",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:devops_code_clearcase:11.0"
}
}
}
],
"category": "product_name",
"name": "DevOps Code ClearCase"
},
{
"category": "product_name",
"name": "IBM FileNet Content Manager",
"product": {
"name": "IBM FileNet Content Manager",
"product_id": "T025993",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:filenet_content_manager:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "9",
"product": {
"name": "IBM InfoSphere Identity Insight 9.0",
"product_id": "723109",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_identity_insight:9.0"
}
}
},
{
"category": "product_version",
"name": "9.1",
"product": {
"name": "IBM InfoSphere Identity Insight 9.1",
"product_id": "T024310",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_identity_insight:9.1"
}
}
},
{
"category": "product_version",
"name": "10",
"product": {
"name": "IBM InfoSphere Identity Insight 10.0",
"product_id": "T024311",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_identity_insight:10.0"
}
}
}
],
"category": "product_name",
"name": "InfoSphere Identity Insight"
},
{
"branches": [
{
"category": "product_version",
"name": "11.7",
"product": {
"name": "IBM InfoSphere Information Server 11.7",
"product_id": "444803",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
}
}
},
{
"category": "product_name",
"name": "IBM InfoSphere Information Server",
"product": {
"name": "IBM InfoSphere Information Server",
"product_id": "T035705",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:infosphere_information_server:-"
}
}
}
],
"category": "product_name",
"name": "InfoSphere Information Server"
},
{
"branches": [
{
"category": "product_version",
"name": "for z/OS 10.1.0.0-10.1.0.5",
"product": {
"name": "IBM Integration Bus for z/OS 10.1.0.0-10.1.0.5",
"product_id": "T046252",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:integration_bus:10.1.0.0_-_10.1.0.5::zos"
}
}
}
],
"category": "product_name",
"name": "Integration Bus"
},
{
"category": "product_name",
"name": "IBM License Metric Tool",
"product": {
"name": "IBM License Metric Tool",
"product_id": "T029071",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:license_metric_tool:-"
}
}
},
{
"branches": [
{
"category": "product_name",
"name": "IBM MQ",
"product": {
"name": "IBM MQ",
"product_id": "T036688",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:operator"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.1.0.32",
"product": {
"name": "IBM MQ \u003c9.1.0.32",
"product_id": "T048096"
}
},
{
"category": "product_version",
"name": "9.1.0.32",
"product": {
"name": "IBM MQ 9.1.0.32",
"product_id": "T048096-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:9.1.0.32"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.2.0.38",
"product": {
"name": "IBM MQ \u003c9.2.0.38",
"product_id": "T048097"
}
},
{
"category": "product_version",
"name": "9.2.0.38",
"product": {
"name": "IBM MQ 9.2.0.38",
"product_id": "T048097-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:9.2.0.38"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.4.0.16",
"product": {
"name": "IBM MQ \u003c9.4.0.16",
"product_id": "T048098"
}
},
{
"category": "product_version",
"name": "9.4.0.16",
"product": {
"name": "IBM MQ 9.4.0.16",
"product_id": "T048098-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:9.4.0.16"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.4.4.0",
"product": {
"name": "IBM MQ \u003c9.4.4.0",
"product_id": "T048099"
}
},
{
"category": "product_version",
"name": "9.4.4.0",
"product": {
"name": "IBM MQ 9.4.4.0",
"product_id": "T048099-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:mq:9.4.4.0"
}
}
}
],
"category": "product_name",
"name": "MQ"
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager",
"product": {
"name": "IBM Operational Decision Manager",
"product_id": "T005180",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:-"
}
}
},
{
"category": "product_name",
"name": "IBM QRadar SIEM",
"product": {
"name": "IBM QRadar SIEM",
"product_id": "T021415",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:qradar_siem:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "9.1",
"product": {
"name": "IBM Rational ClearCase 9.1",
"product_id": "T021423",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:rational_clearcase:9.1"
}
}
},
{
"category": "product_version",
"name": "10.0.0",
"product": {
"name": "IBM Rational ClearCase 10.0.0",
"product_id": "T026520",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:rational_clearcase:10.0.0"
}
}
}
],
"category": "product_name",
"name": "Rational ClearCase"
},
{
"branches": [
{
"category": "product_version",
"name": "Analytic Server",
"product": {
"name": "IBM SPSS Analytic Server",
"product_id": "T011787",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spss:analytic_server"
}
}
},
{
"category": "product_version",
"name": "Collaboration and Deployment Services",
"product": {
"name": "IBM SPSS Collaboration and Deployment Services",
"product_id": "T037766",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spss:collaboration_and_deployment_services"
}
}
}
],
"category": "product_name",
"name": "SPSS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cv10.0.9.1",
"product": {
"name": "IBM Security Verify Access \u003cv10.0.9.1",
"product_id": "T049459"
}
},
{
"category": "product_version",
"name": "v10.0.9.1",
"product": {
"name": "IBM Security Verify Access v10.0.9.1",
"product_id": "T049459-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_verify_access:v10.0.9.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003cv11.0.2",
"product": {
"name": "IBM Security Verify Access \u003cv11.0.2",
"product_id": "T049461"
}
},
{
"category": "product_version",
"name": "v11.0.2",
"product": {
"name": "IBM Security Verify Access v11.0.2",
"product_id": "T049461-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_verify_access:v11.0.2"
}
}
}
],
"category": "product_name",
"name": "Security Verify Access"
},
{
"branches": [
{
"category": "product_version_range",
"name": "Operations Center \u003c8.1.27.100",
"product": {
"name": "IBM Spectrum Protect Operations Center \u003c8.1.27.100",
"product_id": "T048541"
}
},
{
"category": "product_version",
"name": "Operations Center 8.1.27.100",
"product": {
"name": "IBM Spectrum Protect Operations Center 8.1.27.100",
"product_id": "T048541-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_protect:operations_center__8.1.27.100"
}
}
}
],
"category": "product_name",
"name": "Spectrum Protect"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c5.2.3.3",
"product": {
"name": "IBM Storage Scale \u003c5.2.3.3",
"product_id": "T046658"
}
},
{
"category": "product_version",
"name": "5.2.3.3",
"product": {
"name": "IBM Storage Scale 5.2.3.3",
"product_id": "T046658-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:5.2.3.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.1.9.12",
"product": {
"name": "IBM Storage Scale \u003c5.1.9.12",
"product_id": "T047696"
}
},
{
"category": "product_version",
"name": "5.1.9.12",
"product": {
"name": "IBM Storage Scale 5.1.9.12",
"product_id": "T047696-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:5.1.9.12"
}
}
}
],
"category": "product_name",
"name": "Storage Scale"
},
{
"branches": [
{
"category": "product_version",
"name": "Multiplatforms",
"product": {
"name": "IBM TXSeries Multiplatforms",
"product_id": "T045090",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:txseries:multiplatforms"
}
}
}
],
"category": "product_name",
"name": "TXSeries"
},
{
"category": "product_name",
"name": "IBM Tivoli Business Service Manager",
"product": {
"name": "IBM Tivoli Business Service Manager",
"product_id": "5175",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_business_service_manager:-"
}
}
},
{
"category": "product_name",
"name": "IBM Tivoli Key Lifecycle Manager",
"product": {
"name": "IBM Tivoli Key Lifecycle Manager",
"product_id": "T026238",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_key_lifecycle_manager:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.3.0.7 SP 5",
"product": {
"name": "IBM Tivoli Monitoring \u003c6.3.0.7 SP 5",
"product_id": "T047377"
}
},
{
"category": "product_version",
"name": "6.3.0.7 SP 5",
"product": {
"name": "IBM Tivoli Monitoring 6.3.0.7 SP 5",
"product_id": "T047377-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_monitoring:6.3.0.7_sp_5"
}
}
}
],
"category": "product_name",
"name": "Tivoli Monitoring"
},
{
"category": "product_name",
"name": "IBM Tivoli Netcool/OMNIbus",
"product": {
"name": "IBM Tivoli Netcool/OMNIbus",
"product_id": "T004181",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "IP Edition \u003c4.2 Fix Pack 23",
"product": {
"name": "IBM Tivoli Network Manager IP Edition \u003c4.2 Fix Pack 23",
"product_id": "T046654"
}
},
{
"category": "product_version",
"name": "IP Edition 4.2 Fix Pack 23",
"product": {
"name": "IBM Tivoli Network Manager IP Edition 4.2 Fix Pack 23",
"product_id": "T046654-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:tivoli_network_manager:ip_edition___4.2_fix_pack_23"
}
}
}
],
"category": "product_name",
"name": "Tivoli Network Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "8.5",
"product": {
"name": "IBM WebSphere Application Server 8.5",
"product_id": "703851",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:websphere_application_server:8.5"
}
}
},
{
"category": "product_version",
"name": "9",
"product": {
"name": "IBM WebSphere Application Server 9.0",
"product_id": "703852",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:websphere_application_server:9.0"
}
}
},
{
"category": "product_version",
"name": "Liberty 17.0.0.3-25.0.0.8",
"product": {
"name": "IBM WebSphere Application Server Liberty 17.0.0.3-25.0.0.8",
"product_id": "T046203",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:websphere_application_server:17.0.0.3_-_25.0.0.8::liberty"
}
}
}
],
"category": "product_name",
"name": "WebSphere Application Server"
},
{
"branches": [
{
"category": "product_version",
"name": "8.5",
"product": {
"name": "IBM WebSphere Service Registry and Repository 8.5",
"product_id": "306235",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:websphere_service_registry_and_repository:8.5"
}
}
}
],
"category": "product_name",
"name": "WebSphere Service Registry and Repository"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "for Linux",
"product": {
"name": "NetApp ActiveIQ Unified Manager for Linux",
"product_id": "T023548",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:for_linux"
}
}
},
{
"category": "product_version",
"name": "for VMware vSphere",
"product": {
"name": "NetApp ActiveIQ Unified Manager for VMware vSphere",
"product_id": "T025152",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere"
}
}
},
{
"category": "product_version",
"name": "for Microsoft Windows",
"product": {
"name": "NetApp ActiveIQ Unified Manager for Microsoft Windows",
"product_id": "T025631",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows"
}
}
}
],
"category": "product_name",
"name": "ActiveIQ Unified Manager"
}
],
"category": "vendor",
"name": "NetApp"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.1.1",
"product": {
"name": "Red Hat JBoss Web Server \u003c6.1.1",
"product_id": "T045760"
}
},
{
"category": "product_version",
"name": "6.1.1",
"product": {
"name": "Red Hat JBoss Web Server 6.1.1",
"product_id": "T045760-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1.1"
}
}
}
],
"category": "product_name",
"name": "JBoss Web Server"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c9.4M9 (TS1M9)",
"product": {
"name": "SAS Institute Base SAS \u003c9.4M9 (TS1M9)",
"product_id": "T047382"
}
},
{
"category": "product_version",
"name": "9.4M9 (TS1M9)",
"product": {
"name": "SAS Institute Base SAS 9.4M9 (TS1M9)",
"product_id": "T047382-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:sas:base_sas:9.4m9_%28ts1m9%29"
}
}
}
],
"category": "product_name",
"name": "Base SAS"
}
],
"category": "vendor",
"name": "SAS Institute"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "v7",
"product": {
"name": "Xerox FreeFlow Print Server v7",
"product_id": "T035098",
"product_identification_helper": {
"cpe": "cpe:/a:xerox:freeflow_print_server:v7"
}
}
}
],
"category": "product_name",
"name": "FreeFlow Print Server"
}
],
"category": "vendor",
"name": "Xerox"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"product_status": {
"known_affected": [
"T048098",
"T048692",
"T048097",
"T048691",
"T049461",
"T048096",
"T048690",
"T019294",
"T035098",
"T004914",
"703851",
"703852",
"T021415",
"398363",
"T048099",
"T048693",
"T046313",
"T048699",
"T048698",
"T045090",
"T035705",
"T045729",
"T037766",
"T021423",
"T036271",
"T045852",
"T045896",
"2951",
"T002207",
"T044647",
"T044646",
"444803",
"T004181",
"T026238",
"T049459",
"T048962",
"306235",
"T048961",
"T025152",
"T047382",
"67646",
"T011787",
"T029071",
"T036688",
"T046658",
"T045448",
"T045447",
"T045449",
"T025631",
"T001663",
"T005180",
"T024464",
"T025993",
"T049761",
"T046252",
"T049760",
"T045760",
"T046654",
"T026520",
"5175",
"T032255",
"T023548",
"723109",
"T043411",
"T036570",
"T048701",
"T024311",
"T024310",
"T048541",
"T048700",
"T046203",
"T047377",
"T047696",
"T048026",
"T048301"
]
},
"release_date": "2025-06-16T22:00:00.000+00:00",
"title": "CVE-2025-48976"
}
]
}
WID-SEC-W-2025-2351
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-21 22:00Summary
Oracle REST Data Services: Schwachstelle gefährdet Verfügbarkeit
Severity
Niedrig
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle REST Data Services (ORDS) ermöglicht die Erstellung grundlegender RESTful Web Services unter Verwendung von PL/SQL.
Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Oracle REST Data Services ausnutzen, um die Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- Windows
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle REST Data Services 25.2.1
Oracle / REST Data Services
|
cpe:/a:oracle:rest_data_services:25.2.1
|
25.2.1 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "niedrig"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle REST Data Services (ORDS) erm\u00f6glicht die Erstellung grundlegender RESTful Web Services unter Verwendung von PL/SQL.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Oracle REST Data Services ausnutzen, um die Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2351 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2351.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2351 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2351"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle REST Data Services vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixREST"
}
],
"source_lang": "en-US",
"title": "Oracle REST Data Services: Schwachstelle gef\u00e4hrdet Verf\u00fcgbarkeit",
"tracking": {
"current_release_date": "2025-10-21T22:00:00.000+00:00",
"generator": {
"date": "2025-10-22T09:43:27.054+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2351",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "25.2.1",
"product": {
"name": "Oracle REST Data Services 25.2.1",
"product_id": "T047880",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:rest_data_services:25.2.1"
}
}
}
],
"category": "product_name",
"name": "REST Data Services"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-48976",
"product_status": {
"known_affected": [
"T047880"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
}
]
}
WID-SEC-W-2025-2353
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-21 22:00Summary
Oracle Construction and Engineering: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterstützung von Bau- und Ingenieurbüros. Sie umfasst u. a. Projektmanagement-Lösungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von Änderungen.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- Windows
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
Affected products
Last affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Construction and Engineering <=24.12.4.0
Oracle / Construction and Engineering
|
<=24.12.4.0 | ||
|
Oracle Construction and Engineering <=23.12.15
Oracle / Construction and Engineering
|
<=23.12.15 | ||
|
Oracle Construction and Engineering <=22.12.20.0
Oracle / Construction and Engineering
|
<=22.12.20.0 | ||
|
Oracle Construction and Engineering <=23.12.14.0
Oracle / Construction and Engineering
|
<=23.12.14.0 | ||
|
Oracle Construction and Engineering <=24.12.9
Oracle / Construction and Engineering
|
<=24.12.9 | ||
|
Oracle Construction and Engineering <=20.12.17
Oracle / Construction and Engineering
|
<=20.12.17 | ||
|
Oracle Construction and Engineering <=21.12.17
Oracle / Construction and Engineering
|
<=21.12.17 | ||
|
Oracle Construction and Engineering <=20.12.16
Oracle / Construction and Engineering
|
<=20.12.16 | ||
|
Oracle Construction and Engineering <=21.12.15
Oracle / Construction and Engineering
|
<=21.12.15 | ||
|
Oracle Construction and Engineering <=22.12.15
Oracle / Construction and Engineering
|
<=22.12.15 | ||
|
Oracle Construction and Engineering <=20.12.21.0
Oracle / Construction and Engineering
|
<=20.12.21.0 | ||
|
Oracle Construction and Engineering <=21.12.21.2
Oracle / Construction and Engineering
|
<=21.12.21.2 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterst\u00fctzung von Bau- und Ingenieurb\u00fcros. Sie umfasst u. a. Projektmanagement-L\u00f6sungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von \u00c4nderungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2353 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2353.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2353 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2353"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle Construction and Engineering vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixPVA"
}
],
"source_lang": "en-US",
"title": "Oracle Construction and Engineering: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-21T22:00:00.000+00:00",
"generator": {
"date": "2025-10-22T10:03:26.811+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2353",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=20.12.16",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.16",
"product_id": "T027346"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.16",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.16",
"product_id": "T027346-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.15",
"product_id": "T028688"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.15",
"product_id": "T028688-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.17",
"product_id": "T032097"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.17",
"product_id": "T032097-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.15",
"product_id": "T040454"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.15",
"product_id": "T040454-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.17",
"product_id": "T042801"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.17",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.17",
"product_id": "T042801-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.21.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.21.0",
"product_id": "T047896"
}
},
{
"category": "product_version_range",
"name": "\u003c=20.12.21.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=20.12.21.0",
"product_id": "T047896-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.21.2",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.21.2",
"product_id": "T047897"
}
},
{
"category": "product_version_range",
"name": "\u003c=21.12.21.2",
"product": {
"name": "Oracle Construction and Engineering \u003c=21.12.21.2",
"product_id": "T047897-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.20.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.20.0",
"product_id": "T047898"
}
},
{
"category": "product_version_range",
"name": "\u003c=22.12.20.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=22.12.20.0",
"product_id": "T047898-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.14.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.14.0",
"product_id": "T047899"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.14.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.14.0",
"product_id": "T047899-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.4.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.4.0",
"product_id": "T047900"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.4.0",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.4.0",
"product_id": "T047900-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.15",
"product_id": "T047901"
}
},
{
"category": "product_version_range",
"name": "\u003c=23.12.15",
"product": {
"name": "Oracle Construction and Engineering \u003c=23.12.15",
"product_id": "T047901-fixed"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.9",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.9",
"product_id": "T047902"
}
},
{
"category": "product_version_range",
"name": "\u003c=24.12.9",
"product": {
"name": "Oracle Construction and Engineering \u003c=24.12.9",
"product_id": "T047902-fixed"
}
}
],
"category": "product_name",
"name": "Construction and Engineering"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-27363",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27363"
},
{
"cve": "CVE-2025-27553",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27553"
},
{
"cve": "CVE-2025-48924",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-5878",
"product_status": {
"last_affected": [
"T047900",
"T047901",
"T047898",
"T047899",
"T047902",
"T042801",
"T032097",
"T027346",
"T028688",
"T040454",
"T047896",
"T047897"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-5878"
}
]
}
WID-SEC-W-2025-2355
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-21 22:00Summary
Oracle Enterprise Manager: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- Windows
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Enterprise Manager 14.1.2.0.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:14.1.2.0.0
|
14.1.2.0.0 | |
|
Oracle Enterprise Manager 13.5
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:13.5
|
13.5 | |
|
Oracle Enterprise Manager 14.1.1.0.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:14.1.1.0.0
|
14.1.1.0.0 | |
|
Oracle Enterprise Manager 24.1
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:24.1
|
24.1 | |
|
Oracle Enterprise Manager 12.2.1.4.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:12.2.1.4.0
|
12.2.1.4.0 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Enterprise Manager 14.1.2.0.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:14.1.2.0.0
|
14.1.2.0.0 | |
|
Oracle Enterprise Manager 13.5
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:13.5
|
13.5 | |
|
Oracle Enterprise Manager 14.1.1.0.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:14.1.1.0.0
|
14.1.1.0.0 | |
|
Oracle Enterprise Manager 24.1
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:24.1
|
24.1 | |
|
Oracle Enterprise Manager 12.2.1.4.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:12.2.1.4.0
|
12.2.1.4.0 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Enterprise Manager 14.1.2.0.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:14.1.2.0.0
|
14.1.2.0.0 | |
|
Oracle Enterprise Manager 13.5
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:13.5
|
13.5 | |
|
Oracle Enterprise Manager 14.1.1.0.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:14.1.1.0.0
|
14.1.1.0.0 | |
|
Oracle Enterprise Manager 24.1
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:24.1
|
24.1 | |
|
Oracle Enterprise Manager 12.2.1.4.0
Oracle / Enterprise Manager
|
cpe:/a:oracle:enterprise_manager:12.2.1.4.0
|
12.2.1.4.0 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle f\u00fcr Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2355 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2355.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2355 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2355"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle Enterprise Manager vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixEM"
}
],
"source_lang": "en-US",
"title": "Oracle Enterprise Manager: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-21T22:00:00.000+00:00",
"generator": {
"date": "2025-10-22T10:03:27.655+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2355",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "12.2.1.4.0",
"product": {
"name": "Oracle Enterprise Manager 12.2.1.4.0",
"product_id": "T038389",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:12.2.1.4.0"
}
}
},
{
"category": "product_version",
"name": "14.1.1.0.0",
"product": {
"name": "Oracle Enterprise Manager 14.1.1.0.0",
"product_id": "T047903",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:14.1.1.0.0"
}
}
},
{
"category": "product_version",
"name": "14.1.2.0.0",
"product": {
"name": "Oracle Enterprise Manager 14.1.2.0.0",
"product_id": "T047904",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:14.1.2.0.0"
}
}
},
{
"category": "product_version",
"name": "13.5",
"product": {
"name": "Oracle Enterprise Manager 13.5",
"product_id": "T047905",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:13.5"
}
}
},
{
"category": "product_version",
"name": "24.1",
"product": {
"name": "Oracle Enterprise Manager 24.1",
"product_id": "T047906",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:24.1"
}
}
}
],
"category": "product_name",
"name": "Enterprise Manager"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-38819",
"product_status": {
"known_affected": [
"T047904",
"T047905",
"T047903",
"T047906",
"T038389"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2024-38819"
},
{
"cve": "CVE-2025-48976",
"product_status": {
"known_affected": [
"T047904",
"T047905",
"T047903",
"T047906",
"T038389"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-49128",
"product_status": {
"known_affected": [
"T047904",
"T047905",
"T047903",
"T047906",
"T038389"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-49128"
}
]
}
WID-SEC-W-2025-2356
Vulnerability from csaf_certbund - Published: 2025-10-21 22:00 - Updated: 2025-10-22 22:00Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- Windows
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
Affected products
Known affected
10 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications 8.0.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8
|
8.0.8 | |
|
Oracle Financial Services Applications 8.0.8.1
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.1
|
8.0.8.1 | |
|
Oracle Financial Services Applications 8.1.3.2
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.3.2
|
8.1.3.2 | |
|
Oracle Financial Services Applications 8.1.2.10
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.10
|
8.1.2.10 | |
|
Oracle Financial Services Applications 8.1.2.5
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.5
|
8.1.2.5 | |
|
Oracle Financial Services Applications 8.1.2.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.7
|
8.1.2.7 | |
|
Oracle Financial Services Applications 8.1.2.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.9
|
8.1.2.9 | |
|
Oracle Financial Services Applications 8.1.2.8
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.1.2.8
|
8.1.2.8 | |
|
Oracle Financial Services Applications 8.0.8.7
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.8.7
|
8.0.8.7 | |
|
Oracle Financial Services Applications 8.0.7.9
Oracle / Financial Services Applications
|
cpe:/a:oracle:financial_services_applications:8.0.7.9
|
8.0.7.9 |
Last affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Oracle Financial Services Applications <=7.2.0.0.0
Oracle / Financial Services Applications
|
<=7.2.0.0.0 | ||
|
Oracle Financial Services Applications <=14.7.0.0.0
Oracle / Financial Services Applications
|
<=14.7.0.0.0 | ||
|
Oracle Financial Services Applications <=14.8.0.0.0
Oracle / Financial Services Applications
|
<=14.8.0.0.0 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Financial Services ist eine Zusammenstellung von Anwendungen f\u00fcr den Finanzsektor und eine Technologiebasis zur Erf\u00fcllung von IT- und Gesch\u00e4ftsanforderungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2356 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2356.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2356 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2356"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - October 2025 - Appendix Oracle Financial Services Applications vom 2025-10-21",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixIFLX"
}
],
"source_lang": "en-US",
"title": "Oracle Financial Services Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-10-22T22:00:00.000+00:00",
"generator": {
"date": "2025-10-23T08:39:19.937+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2356",
"initial_release_date": "2025-10-21T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-22T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-35258, EUVD-2025-35295, EUVD-2025-35299, EUVD-2025-35298, EUVD-2025-35297, EUVD-2025-35296, EUVD-2025-35300"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "8.0.8",
"product": {
"name": "Oracle Financial Services Applications 8.0.8",
"product_id": "T021677",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8"
}
}
},
{
"category": "product_version",
"name": "8.0.8.1",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.1",
"product_id": "T022844",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=14.7.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.7.0.0.0",
"product_id": "T028702"
}
},
{
"category": "product_version_range",
"name": "\u003c=14.7.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.7.0.0.0",
"product_id": "T028702-fixed"
}
},
{
"category": "product_version",
"name": "8.1.2.5",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.5",
"product_id": "T028706",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.5"
}
}
},
{
"category": "product_version",
"name": "8.1.2.7",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.7",
"product_id": "T036217",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.7"
}
}
},
{
"category": "product_version",
"name": "8.1.2.8",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.8",
"product_id": "T038392",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.8"
}
}
},
{
"category": "product_version",
"name": "8.1.2.9",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.9",
"product_id": "T042811",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.9"
}
}
},
{
"category": "product_version",
"name": "8.0.7.9",
"product": {
"name": "Oracle Financial Services Applications 8.0.7.9",
"product_id": "T047907",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.7.9"
}
}
},
{
"category": "product_version",
"name": "8.0.8.7",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.7",
"product_id": "T047908",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=14.8.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.8.0.0.0",
"product_id": "T047909"
}
},
{
"category": "product_version_range",
"name": "\u003c=14.8.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=14.8.0.0.0",
"product_id": "T047909-fixed"
}
},
{
"category": "product_version",
"name": "8.1.2.10",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.10",
"product_id": "T047910",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.10"
}
}
},
{
"category": "product_version",
"name": "8.1.3.2",
"product": {
"name": "Oracle Financial Services Applications 8.1.3.2",
"product_id": "T047911",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.3.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c=7.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=7.2.0.0.0",
"product_id": "T047912"
}
},
{
"category": "product_version_range",
"name": "\u003c=7.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications \u003c=7.2.0.0.0",
"product_id": "T047912-fixed"
}
}
],
"category": "product_name",
"name": "Financial Services Applications"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11988",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2020-11988"
},
{
"cve": "CVE-2024-28168",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2024-28168"
},
{
"cve": "CVE-2025-27553",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27553"
},
{
"cve": "CVE-2025-27817",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-27817"
},
{
"cve": "CVE-2025-31672",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-31672"
},
{
"cve": "CVE-2025-32415",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-32415"
},
{
"cve": "CVE-2025-41249",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-41249"
},
{
"cve": "CVE-2025-48924",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48924"
},
{
"cve": "CVE-2025-48976",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48976"
},
{
"cve": "CVE-2025-48989",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-48989"
},
{
"cve": "CVE-2025-50074",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-50074"
},
{
"cve": "CVE-2025-50075",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-50075"
},
{
"cve": "CVE-2025-5115",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-5115"
},
{
"cve": "CVE-2025-53034",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53034"
},
{
"cve": "CVE-2025-53035",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53035"
},
{
"cve": "CVE-2025-53036",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53036"
},
{
"cve": "CVE-2025-53037",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-53037"
},
{
"cve": "CVE-2025-55163",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-55163"
},
{
"cve": "CVE-2025-59375",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-59375"
},
{
"cve": "CVE-2025-61751",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-61751"
},
{
"cve": "CVE-2025-61756",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-61756"
},
{
"cve": "CVE-2025-6965",
"product_status": {
"known_affected": [
"T021677",
"T022844",
"T047911",
"T047910",
"T028706",
"T036217",
"T042811",
"T038392",
"T047908",
"T047907"
],
"last_affected": [
"T047912",
"T028702",
"T047909"
]
},
"release_date": "2025-10-21T22:00:00.000+00:00",
"title": "CVE-2025-6965"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…