CVE-2025-49124

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49124
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49124.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49124
Aliases
Downstream
Published
2025-06-16T15:15:24.707Z
Modified
2026-03-14T12:43:42.353256Z
Severity
  • 8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Introduced
bd48c597e3cb280d73d9c9279babcaf75b6879c0
Fixed
05ccf0c3e22d388f0cf853e32485d8249d051f2f
Introduced
e9d17cddc285615807ec5fef09240777436b25dc
Fixed
0289da4f342744334e0fc5a53ee958e68024fead
Introduced
56e547d387ab49f688c93fe9ca082b1b5d94deed
Fixed
8a48dcb90f13f1670632e763e945f4cc9ef869e6
Database specific 
{
    "versions": [
        {
            "introduced": "9.0.23"
        },
        {
            "fixed": "9.0.106"
        },
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.42"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.0.8"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49124.json"