{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2024-52316: fix unchecked error condition in Jakarta\n Authentication (JASPIC) ServerAuthContext\n- CVE-2025-46701: fix case sensitivity bypass in CGI servlet\n pathInfo\n- CVE-2025-55754: add escaping to logging output for ANSI\n sequences", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776163133", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776163133" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1776163133.json" } ], "tracking": { "current_release_date": "2026-04-14T10:40:00Z", "generator": { "date": "2026-04-14T10:40:00Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1776163133", "initial_release_date": "2026-04-14T10:40:00Z", "revision_history": [ { "date": "2026-04-14T10:40:00Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "tomcat: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-webapps@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-admin-webapps@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-docs-webapp@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-servlet-4.0-api@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-el-3.0-api@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-jsp-2.3-api@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product": { "name": "tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_id": "tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/tomcat-lib@9.0.62-11.el9_2.3.tuxcare.els17?arch=noarch&epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" }, "product_reference": "tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-52316", "cwe": { "id": "CWE-248", "name": "Uncaught Exception" }, "notes": [ { "category": "description", "text": "Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-52316" } ], "release_date": "2024-11-18T11:32:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-14T10:38:58.941659Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776163133", "product_ids": [ "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776163133" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-46701", "cwe": { "id": "CWE-178", "name": "Improper Handling of Case Sensitivity" }, "notes": [ { "category": "description", "text": "Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\nUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-46701" } ], "release_date": "2025-05-29T19:06:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-14T10:38:58.941659Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1776163133", "product_ids": [ "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1776163133" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:tomcat-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-admin-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-docs-webapp-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-el-3.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-jsp-2.3-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-lib-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-servlet-4.0-api-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch", "AlmaLinux-9.2:tomcat-webapps-1:9.0.62-11.el9_2.3.tuxcare.els17.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }