SB2025011035 - SUSE update for tomcat 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025011035

SB2025011035 - SUSE update for tomcat

Published: January 10, 2025 Updated: June 20, 2025

Security Bulletin ID SB2025011035
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-50379)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.


2) Resource management error (CVE-ID: CVE-2024-52317)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper management of internal resources when handling HTTP/2 responses, which causes request and/or response mix-up between users. A remote non-authenticated attacker can send a series of HTTP/2 requests and gain access to sensitive information.


3) Resource exhaustion (CVE-ID: CVE-2024-54677)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the examples web application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References