SUSE update for tomcat

1) Input validation error

EUVDB-ID: #VU105485

Risk: Critical

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2025-24813

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

Mitigation

Update the affected package tomcat to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security

SUSE Linux Enterprise Server 12 SP5: LTSS

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

SUSE Linux Enterprise High Performance Computing 12: SP5

tomcat-admin-webapps: before 9.0.36-3.139.1

tomcat-lib: before 9.0.36-3.139.1

tomcat-webapps: before 9.0.36-3.139.1

tomcat-el-3_0-api: before 9.0.36-3.139.1

tomcat-javadoc: before 9.0.36-3.139.1

tomcat-jsp-2_3-api: before 9.0.36-3.139.1

tomcat-servlet-4_0-api: before 9.0.36-3.139.1

tomcat: before 9.0.36-3.139.1

tomcat-docs-webapp: before 9.0.36-3.139.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended:Security:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5:LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:a:suse:tomcat-admin-webapps:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-lib:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-webapps:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-el-3_0-api:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-javadoc:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-jsp-2_3-api:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-servlet-4_0-api:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:tomcat-docs-webapp:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20250954-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.