CVE-2025-46701 log

Source
Severity Low
Remote Yes
Type Access restriction bypass
Description
When running on a case insensitive file system with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.
Group Package Affected Fixed Severity Status Ticket
AVG-2889 tomcat9 9.0.100-1 Low Vulnerable
AVG-2888 tomcat10 10.1.40-1 Low Vulnerable
References
https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105