CVE-2025-46701

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46701
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/05/29/4 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
History

25 Jun 2025, 15:40

Type Values Removed Values Added
CPE cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
First Time Apache
Apache tomcat
References () https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j - () https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/05/29/4 - () http://www.openwall.com/lists/oss-security/2025/05/29/4 - Mailing List, Third Party Advisory

30 May 2025, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.3
Summary
  • (es) La vulnerabilidad de manejo incorrecto de la distinción entre mayúsculas y minúsculas en el servlet GCI de Apache Tomcat permite eludir las restricciones de seguridad aplicables al componente pathInfo de una URI asignada al servlet CGI. Este problema afecta a Apache Tomcat: de la 11.0.0-M1 a la 11.0.6, de la 10.1.0-M1 a la 10.1.40 y de la 9.0.0.M1 a la 9.0.104. Se recomienda a los usuarios actualizar a las versiones 11.0.7, 10.1.41 o 9.0.105, que solucionan el problema.

29 May 2025, 22:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/05/29/4 -

29 May 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-29 19:15

Updated : 2025-06-25 15:40

NVD link : CVE-2025-46701

Mitre link : CVE-2025-46701

CVE.ORG link : CVE-2025-46701

JSON object : View

Products Affected

apache

  • tomcat
CWE
CWE-178

Improper Handling of Case Sensitivity