CVE-2025-46701 - log back

CVE-2025-46701 edited at 18 Jun 2025 22:49:54
Description
- When running on a case insensitive file system with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.
+ When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.
CVE-2025-46701 edited at 29 May 2025 21:56:54
Severity
- High
+ Low
CVE-2025-46701 edited at 29 May 2025 21:56:12
Description
+ When running on a case insensitive file system with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.
- When running on a case insensitive file system with security constraints
- configured for the <code>pathInfo</code> component of a URL that mapped
- to the CGI servlet, it was possible to bypass those security constraints
- with a specially crafted URL.
CVE-2025-46701 created at 29 May 2025 21:54:44
Severity
+ High
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ When running on a case insensitive file system with security constraints
+ configured for the <code>pathInfo</code> component of a URL that mapped
+ to the CGI servlet, it was possible to bypass those security constraints
+ with a specially crafted URL.
References
+ https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
+ https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41
+ https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105
Notes