DEBIAN-CVE-2025-46701

Advisory lineage Upstream: 1 Downstream: 3

Upstream

CVE-2025-46701

Downstream

DLA-4244-1 DSA-6120-1 DSA-6121-1

Published: 29 May 2025, 19:15

Last modified:28 Apr 2026, 20:30

Vulnerability Summary

Overall Risk (default)

medium

29/100

CVSS Score

7.3 HIGH

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

29 May 2025, 19:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:30

Last Modified

Vulnerability information updated

Description

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

CVSS Metrics

v3.1•HIGH•Score: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Systems

debian•tomcat10
all | all | < 10.1.52-1~deb12u1 | < 10.1.52-1~deb13u1 | < 10.1.46-1
debian•tomcat11
all | < 11.0.15-1~deb13u1 | < 11.0.11-1
debian•tomcat9
< 9.0.107-0+deb11u1 | < 9.0.70-2 | < 9.0.70-2 | < 9.0.70-2

References (1)

https://security-tracker.debian.org/tracker/CVE-2025-46701