CVE-2025-46701 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Access restriction bypass
Description	When running on a case insensitive file system with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2889	tomcat9	9.0.100-1		Low	Vulnerable
AVG-2888	tomcat10	10.1.40-1		Low	Vulnerable

References
https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105

References

https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105