Aperçu
Apache Tomcat's default servlet contains a path equivalence vulnerability when write operations are enabled. An attacker with write access to the upload directory can exploit internal dot handling in file names to execute arbitrary code, disclose sensitive information, or inject malicious content into uploaded files. La vulnérabilité a été divulguée le March 10, 2025. CISA a identifié CVE-2025-24813 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Apache Tomcat's default servlet implementation has a path equivalence flaw related to how it processes file names containing internal dots. When write operations are enabled on the default servlet, attackers who have write access to the upload directory can craft specially formatted file names that exploit this path normalization issue. This allows them to write files to unintended locations on the filesystem, potentially achieving remote code execution through JSP upload, reading sensitive files, or modifying application resources.
La vulnérabilité est classifiée comme CWE-41 (Improper Resolution of Path Equivalence) , CWE-434 (Unrestricted Upload of File with Dangerous Type) etCWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows attackers to: (1) Execute arbitrary code on the server by uploading malicious JSP files that bypass extension filters, (2) Read sensitive information by accessing files outside the intended upload directory, (3) Modify or inject malicious content into application resources, potentially compromising the entire application and underlying system. In scenarios where Tomcat runs with elevated privileges, this could lead to complete system compromise.
Mitigation et contournements
Comme contournements temporaires : disable write operations on the default servlet by setting readonly to 'true' in web.xml. this is the default configuration in most tomcat deployments.; restrict access to upload endpoints using http authentication or firewall rules to limit write access to trusted sources only.; implement strict file name validation and filtering to reject file names containing dots or other suspicious patterns. use a whitelist approach for allowed characters.; use a dedicated, isolated upload directory that is not within the web root and configure a separate servlet/application for handling uploads with strict security controls., et configure tomcat to run with minimal privileges using a dedicated, unprivileged user account. this limits the impact of successful exploitation..
Recommandation de CISA : Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
