Anolis OS update for tomcat
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-50379 CVE-2025-24813 |
| CWE-ID | CWE-264 CWE-20 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Vulnerability #2 is being exploited in the wild. |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system tomcat-webapps Operating systems & Components / Operating system package or component tomcat-servlet-4.0-api Operating systems & Components / Operating system package or component tomcat-lib Operating systems & Components / Operating system package or component tomcat-jsp-2.3-api Operating systems & Components / Operating system package or component tomcat-el-3.0-api Operating systems & Components / Operating system package or component tomcat-docs-webapp Operating systems & Components / Operating system package or component tomcat-admin-webapps Operating systems & Components / Operating system package or component tomcat Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU101814
Risk: Medium
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-50379
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
tomcat-webapps: before 9.0.87-1
tomcat-servlet-4.0-api: before 9.0.87-1
tomcat-lib: before 9.0.87-1
tomcat-jsp-2.3-api: before 9.0.87-1
tomcat-el-3.0-api: before 9.0.87-1
tomcat-docs-webapp: before 9.0.87-1
tomcat-admin-webapps: before 9.0.87-1
tomcat: before 9.0.87-1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:tomcat-webapps:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-servlet-4_0-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-lib:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-jsp-2_3-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-el-3_0-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-docs-webapp:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-admin-webapps:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2025:0208
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Input validation error
EUVDB-ID: #VU105485
Risk: Critical
CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2025-24813
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
tomcat-webapps: before 9.0.87-1
tomcat-servlet-4.0-api: before 9.0.87-1
tomcat-lib: before 9.0.87-1
tomcat-jsp-2.3-api: before 9.0.87-1
tomcat-el-3.0-api: before 9.0.87-1
tomcat-docs-webapp: before 9.0.87-1
tomcat-admin-webapps: before 9.0.87-1
tomcat: before 9.0.87-1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:tomcat-webapps:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-servlet-4_0-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-lib:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-jsp-2_3-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-el-3_0-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-docs-webapp:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat-admin-webapps:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:tomcat:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2025:0208
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
