ALT-BU-2025-9993-3

Branch c10f2 update bulletin.

Package tomcat updated to version 9.0.68-alt1 for branch c10f2 in task 391215.

Уязвимость сервера приложений Apache Tomcat, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2025-48988

Уязвимость библиотеки Apache Commons FileUpload, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2025-48976

Уязвимость компонента компоненте pathInfo URI сервера приложений Apache Tomcat, позволяющая нарушителю обойти существующие ограничения безопасности

Severity: HIGH (7.3)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

References:

CVE-2025-46701

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Severity: HIGH (7.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References:

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Apache Tomcat - CGI security constraint bypass

Severity: LOW (1.7)Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

References:

Apache Tomcat - DoS in multipart upload

Severity: HIGH (8.7)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (8.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References:

Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers

Severity: HIGH (8.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References:

Package mcpp updated to version 2.7.2.2-alt1 for branch c10f2 in task 391260.

MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function in support.c.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: MEDIUM (5.5)Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References:

Version: 2.1.2

Branch c10f2 update on 2025-08-03

ALT-BU-2025-9993-3

ALT-PU-2025-9837-5

Closed vulnerabilities

BDU:2025-07526

BDU:2025-07776

BDU:2025-09498

CVE-2025-46701

CVE-2025-48976

CVE-2025-48988

GHSA-h2fw-rfh5-95r3

GHSA-h3gc-qfqq-6h8f

GHSA-vv7r-c36w-3prj

ALT-PU-2025-9866-3

Closed vulnerabilities

CVE-2019-14274