INFSA-2025:11332: tomcat9 security update
Information about definition
Identificator: INFSA-2025:11332
Type: security
Release date: 2025-07-25 10:59:22 UTC
Information about package
Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world.
Vulnerabilities description
- CVE-2024-56337
A Time-of-check Time-of-use (TOCTOU) race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to be treated as a JSP and executed, resulting in remote code execution.
- CVE-2025-31650
A flaw was found in Apache Tomcat. This vulnerability allows an application-level denial of service (DoS), causing it to become unresponsive or slow via maliciously crafted HTTP/2 prioritization headers. It performs an incomplete cleanup of failed requests, which triggers a memory leak.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-56337
|
no information | 8.1 | no information |
|
NIST — CVE-2025-31650
|
no information | 7.5 | no information |
Updated packages