{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "Bump release", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1775646020.json" } ], "tracking": { "current_release_date": "2026-04-08T13:25:30Z", "generator": { "date": "2026-04-08T13:25:30Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1775646020", "initial_release_date": "2026-04-08T11:00:24Z", "revision_history": [ { "date": "2026-04-08T11:00:24Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-08T13:25:30Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Update of pki-servlet-engine" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "product": { "name": "pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "product_id": "pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/pki-servlet-4.0-api@9.0.50-1.el9.2.tuxcare.els3?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "product": { "name": "pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "product_id": "pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/pki-servlet-engine@9.0.50-1.el9.2.tuxcare.els3?arch=noarch&epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch" }, "product_reference": "pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" }, "product_reference": "pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-52316", "cwe": { "id": "CWE-248", "name": "Uncaught Exception" }, "notes": [ { "category": "description", "text": "Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-52316" } ], "release_date": "2024-11-18T11:32:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-08T11:00:24.817015Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020", "product_ids": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-46701", "cwe": { "id": "CWE-178", "name": "Improper Handling of Case Sensitivity" }, "notes": [ { "category": "description", "text": "Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\nUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-46701" } ], "release_date": "2025-05-29T19:06:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-08T11:00:24.817015Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020", "product_ids": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-55754", "cwe": { "id": "CWE-150", "name": "Improper Neutralization of Escape, Meta, or Control Sequences" }, "notes": [ { "category": "description", "text": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.\nTomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-55754" } ], "release_date": "2025-10-27T17:29:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-08T11:00:24.817015Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020", "product_ids": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775646020" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:pki-servlet-4.0-api-1:9.0.50-1.el9.2.tuxcare.els3.noarch", "AlmaLinux-9.2:pki-servlet-engine-1:9.0.50-1.el9.2.tuxcare.els3.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }