{ "threat_severity" : "Low", "public_date" : "2025-04-28T19:17:21Z", "bugzilla" : { "description" : "tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve", "id" : "2362782", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2362782" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-150", "details" : [ "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.", "A flaw was found in Apache Tomcat's rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use." ], "statement" : "This vulnerability is rated as Low severity because it only manifests under a narrow set of conditions involving uncommon and non-default rewrite rule configurations that rely on specific patterns in the raw requestURI, including path parameters. In most deployments, rewrite rules operate on decoded and normalized URIs or are used for non-security-critical purposes like routing. Furthermore, Tomcat’s internal processing already normalizes and removes path parameters (;-delimited) before applying security constraints, meaning any bypass would only be feasible if the rewrite logic directly enforced security (which is a poor practice). The flaw does not allow direct code execution, data leakage, or privilege escalation unless the rewrite rule was explicitly misused as a substitute for proper access control. \nIts impact is further mitigated by the fact that rewrite rules are not typically relied upon for access enforcement. As such, while the bug may lead to incorrect rule evaluation under certain edge-case configurations, it does not represent a significant security risk in practice.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23050", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "tomcat-1:10.1.36-3.el10_1.1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23052", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "tomcat9-1:9.0.87-8.el10_1.1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23051", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "tomcat-1:10.1.36-1.el10_0.3" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23053", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "tomcat9-1:9.0.87-5.el10_0.4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23048", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "tomcat-1:9.0.87-1.el8_10.7" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2725", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "pki-deps:10.6-8020020260128173505.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2724", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "pki-deps:10.6-8040020260129154709.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2724", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "pki-deps:10.6-8040020260129154709.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2726", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "pki-deps:10.6-8060020260128101437.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2726", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "pki-deps:10.6-8060020260128101437.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-02-16T00:00:00Z", "advisory" : "RHSA-2026:2726", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "pki-deps:10.6-8060020260128101437.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23045", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "tomcat-1:9.0.87-1.el8_8.8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23045", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "tomcat-1:9.0.87-1.el8_8.8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23049", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "tomcat-1:9.0.87-6.el9_7.1" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-08T00:00:00Z", "advisory" : "RHSA-2026:0292", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "pki-servlet-engine-1:9.0.43-4.el9_0.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23046", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "tomcat-1:9.0.87-1.el9_2.7" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-01-08T00:00:00Z", "advisory" : "RHSA-2026:0293", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "pki-servlet-engine-1:9.0.50-1.el9_2.3" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23047", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "tomcat-1:9.0.87-1.el9_4.7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23044", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "tomcat-1:9.0.87-3.el9_6.4" }, { "product_name" : "Red Hat JBoss Web Server 5.8.6", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22924", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 7", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22925", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7", "package" : "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 8", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22925", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8", "package" : "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 9", "release_date" : "2025-12-09T00:00:00Z", "advisory" : "RHSA-2025:22925", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9", "package" : "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws" }, { "product_name" : "Red Hat JBoss Web Server 6.1.3", "release_date" : "2025-11-06T00:00:00Z", "advisory" : "RHSA-2025:19810", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 10", "release_date" : "2025-11-06T00:00:00Z", "advisory" : "RHSA-2025:19809", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el10", "package" : "jws6-tomcat-0:10.1.36-19.redhat_00018.1.el10jws" }, { "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 8", "release_date" : "2025-11-06T00:00:00Z", "advisory" : "RHSA-2025:19809", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8", "package" : "jws6-tomcat-0:10.1.36-19.redhat_00018.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 9", "release_date" : "2025-11-06T00:00:00Z", "advisory" : "RHSA-2025:19809", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9", "package" : "jws6-tomcat-0:10.1.36-19.redhat_00018.1.el9jws" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-31651\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-31651\nhttps://lists.apache.org/list.html?announce@tomcat.apache.org" ], "name" : "CVE-2025-31651", "mitigation" : { "value" : "No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.", "lang" : "en:us" }, "csaw" : false }