Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN140

_____________________________________________________________________

DATE                : 14/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to
                                11.0.3, 10.1.35, 9.0.99.

=====================================================================
https://lists.apache.org/thread/xl35tnb4979lnk7stnvx9sll1hb68kvf
_____________________________________________________________________

CVE-2025-24813 Potential RCE and/or information disclosure and/or 
information corruption with partial PUT

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98

Description:
The original implementation of partial PUT used a temporary file based 
on the user provided file name and path with the path separator
replaced by ".".

If all of the following were true, a malicious user was able to view 
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
   of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
   uploaded
- the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform 
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
   the default storage location
- application included a library that may be leveraged in a
   deserialization attack

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later

Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight)

History:
2025-03-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================