INFSA-2025:11335: tomcat security update
Information about definition
Identificator: INFSA-2025:11335
Type: security
Release date: 2025-07-25 10:48:56 UTC
Information about package
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Vulnerabilities description
- CVE-2024-56337
A Time-of-check Time-of-use (TOCTOU) race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to be treated as a JSP and executed, resulting in remote code execution.
- CVE-2025-31650
A flaw was found in Apache Tomcat. This vulnerability allows an application-level denial of service (DoS), causing it to become unresponsive or slow via maliciously crafted HTTP/2 prioritization headers. It performs an incomplete cleanup of failed requests, which triggers a memory leak.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-56337
|
no information | 8.1 | no information |
|
NIST — CVE-2025-31650
|
no information | 7.5 | no information |
Updated packages