{ "threat_severity" : "Moderate", "public_date" : "2025-07-10T19:14:23Z", "bugzilla" : { "description" : "tomcat: Apache Tomcat denial of service", "id" : "2379386", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2379386" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.", "A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14178", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "tomcat9-1:9.0.87-5.el10_0.3" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14179", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "tomcat-1:10.1.36-1.el10_0.2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14177", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "tomcat-1:9.0.87-1.el8_10.6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14182", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "tomcat-1:9.0.87-1.el8_8.7" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14182", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "tomcat-1:9.0.87-1.el8_8.7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14181", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "tomcat-1:9.0.87-3.el9_6.3" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14183", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "tomcat-1:9.0.87-1.el9_2.6" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-20T00:00:00Z", "advisory" : "RHSA-2025:14180", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "tomcat-1:9.0.87-1.el9_4.6" }, { "product_name" : "Red Hat JBoss Web Server 5.8.5", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11696", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8", "package" : "jws5-tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 7", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11695", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7", "package" : "jws5-tomcat-0:9.0.87-12.redhat_00011.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 8", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11695", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8", "package" : "jws5-tomcat-0:9.0.87-12.redhat_00011.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 9", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11695", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9", "package" : "jws5-tomcat-0:9.0.87-12.redhat_00011.1.el9jws" }, { "product_name" : "Red Hat JBoss Web Server 6.1.1", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:11742", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1", "package" : "jws6-tomcat" }, { "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 10", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:11741", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el10", "package" : "jws6-tomcat-0:10.1.36-7.redhat_00008.1.el10jws" }, { "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 8", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:11741", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8", "package" : "jws6-tomcat-0:10.1.36-7.redhat_00008.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 9", "release_date" : "2025-07-30T00:00:00Z", "advisory" : "RHSA-2025:11741", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9", "package" : "jws6-tomcat-0:10.1.36-7.redhat_00008.1.el9jws" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Fix deferred", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-53506\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-53506\nhttps://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0" ], "name" : "CVE-2025-53506", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }