GHSA-wc4r-xq3c-5cf3

Source

https://github.com/advisories/GHSA-wc4r-xq3c-5cf3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wc4r-xq3c-5cf3

Aliases

Related

CGA-mqcq-4vj8-j6r4

Published

2025-06-16T15:32:28Z

Modified

2025-06-20T10:42:03.474452Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache Tomcat - Security constraint bypass for pre/post-resources

Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Database specific

{
    "nvd_published_at": "2025-06-16T15:15:24Z",
    "cwe_ids": [
        "CWE-288"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T18:02:12Z"
}

References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.8

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

11.0.0-M17

11.0.0-M18

11.0.0-M19

11.0.0-M20

11.0.0-M21

11.0.0-M22

11.0.0-M24

11.0.0-M25

11.0.0-M26

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

Database specific

{
    "last_known_affected_version_range": "<= 11.0.7"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.42

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

10.1.19

10.1.20

10.1.23

10.1.24

10.1.25

10.1.26

10.1.28

10.1.29

10.1.30

10.1.31

10.1.33

10.1.34

10.1.35

10.1.36

10.1.39

10.1.40

10.1.41

Database specific

{
    "last_known_affected_version_range": "<= 10.1.41"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0.M1

Fixed

9.0.106

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

9.0.86

9.0.87

9.0.88

9.0.89

9.0.90

9.0.91

9.0.93

9.0.94

9.0.95

9.0.96

9.0.97

9.0.98

9.0.99

9.0.100

9.0.102

9.0.104

9.0.105

Database specific

{
    "last_known_affected_version_range": "<= 9.0.105"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.8

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

11.0.0-M17

11.0.0-M18

11.0.0-M19

11.0.0-M20

11.0.0-M21

11.0.0-M22

11.0.0-M24

11.0.0-M25

11.0.0-M26

11.0.0

11.0.1

11.0.2

11.0.3

11.0.4

11.0.5

11.0.6

11.0.7

Database specific

{
    "last_known_affected_version_range": "<= 11.0.7"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.42

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

10.1.19

10.1.20

10.1.23

10.1.24

10.1.25

10.1.26

10.1.28

10.1.29

10.1.30

10.1.31

10.1.33

10.1.34

10.1.35

10.1.36

10.1.39

10.1.40

10.1.41

Database specific

{
    "last_known_affected_version_range": "<= 10.1.41"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0.M1

Fixed

9.0.106

Affected versions

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

9.0.86

9.0.87

9.0.88

9.0.89

9.0.90

9.0.91

9.0.93

9.0.94

9.0.95

9.0.96

9.0.97

9.0.98

9.0.99

9.0.100

9.0.102

9.0.104

9.0.105

Database specific

{
    "last_known_affected_version_range": "<= 9.0.105"
}