GHSA-ff77-26x5-69cr

Source

https://github.com/advisories/GHSA-ff77-26x5-69cr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ff77-26x5-69cr

Aliases

Published

2025-04-28T21:30:43Z

Modified

2025-05-06T18:31:55.196868Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Apache Tomcat Rewrite rule bypass

Details

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6, which fix the issue.

Database specific

{
    "nvd_published_at": "2025-04-28T20:15:20Z",
    "cwe_ids": [
        "CWE-116",
        "CWE-150"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T15:03:25Z"
}

References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.76

Fixed

9.0.104

Affected versions

9.*

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

9.0.86

9.0.87

9.0.88

9.0.89

9.0.90

9.0.91

9.0.93

9.0.94

9.0.95

9.0.96

9.0.97

9.0.98

9.0.99

9.0.100

9.0.102

Database specific

{
    "last_known_affected_version_range": "<= 9.0.102"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.10

Fixed

10.1.40

Affected versions

10.*

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

10.1.19

10.1.20

10.1.23

10.1.24

10.1.25

10.1.26

10.1.28

10.1.29

10.1.30

10.1.31

10.1.33

10.1.34

10.1.35

10.1.36

10.1.39

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M2

Fixed

11.0.6

Affected versions

11.*

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

11.0.0-M17

11.0.0-M18

11.0.0-M19

11.0.0-M20

11.0.0-M21

11.0.0-M22

11.0.0-M24

11.0.0-M25

11.0.0-M26

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5