Tomcat Vulnerabilities in EM 10.8.0.220
Article ID: 423972
Updated On:
Products
Issue/Introduction
List of Vulnerabilities found in EM 10.8.0.220.
| Component name | Component version name | Vulnerability id | Security Risk | Overall score |
| Apache Tomcat | 9.0.87 | CVE-2025-24813 (BDSA-2025-1980) | CRITICAL | 9.8 |
| Apache Tomcat | 9.0.87 | CVE-2025-31651 (BDSA-2025-3616) | CRITICAL | 9.8 |
| Component name | Component version name | Component origin id | Component origin version name | Vulnerability id | Description | Security Risk | Overall score | ||
| Apache Tomcat | 9.0.87 | org.apache.tomcat:tomcat-annotations-api:9.0.87.redhat-00010 | 9.0.87.redhat-00010 | CVE-2024-52316 (BDSA-2024-8736) | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC)Â ServerAuthContext component which may throw an exception during the authentication process without explicitly setti | CRITICAL | 9.8 | ||
| Apache Tomcat | 9.0.87 | org.apache.tomcat:tomcat-annotations-api:9.0.87.redhat-00010 | 9.0.87.redhat-00010 | CVE-2024-50379 (BDSA-2024-9762) | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache T | CRITICAL | 9.8 | ||
| Apache Tomcat | 9.0.87 | org.apache.tomcat:tomcat-annotations-api:9.0.87.redhat-00010 | 9.0.87.redhat-00010 | CVE-2024-56337 (BDSA-2024-9919) | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time t | CRITICAL | 9.8 | ||
| Apache Tomcat | 9.0.87 | org.apache.tomcat:tomcat-annotations-api:9.0.87.redhat-00010 | 9.0.87.redhat-00010 | CVE-2025-24813 (BDSA-2025-1980) | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11 | CRITICAL | 9.8 | ||
| Apache Tomcat | 9.0.87 | org.apache.tomcat:tomcat-annotations-api:9.0.87.redhat-00010 | 9.0.87.redhat-00010 | CVE-2025-31651 (BDSA-2025-3616) | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules eff | CRITICAL | 9.8 | ||
| Apache Tomcat | 8.5.70 | org.apache.tomcat.embed:tomcat-embed-el:8.5.70 | 8.5.70 | CVE-2025-55754 (BDSA-2025-14738) | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI es | CRITICAL | 9.6 | ||
| Apache Tomcat | 8.5.89 | org.apache.tomcat:tomcat:8.5.89 | 8.5.89 | CVE-2025-55754 (BDSA-2025-14738) | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI es | CRITICAL | 9.6 | ||
| Apache Tomcat | 9.0.87 | org.apache.tomcat:tomcat-annotations-api:9.0.87.redhat-00010 | 9.0.87.redhat-00010 | CVE-2025-55754 (BDSA-2025-14738) | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI es | CRITICAL | 9.6 |
Environment
EM 10.8.0.220 SAP release.
Resolution
This is false positive as well: CVE-2025-31651 (BDSA-2025-3616) (CRITICAL) - Apache Tomcat Vulnerable to Rewrite Rule Bypass via Insufficient Handling of Invalid Characters in Request URLs
This is a false positive: CVE-2024-50379 (BDSA-2024-9762) (CRITICAL) - Apache Tomcat Vulnerable to Console Manipulation via Improper Neutralization of ANSI Escape Sequences in Log Files
This is a false positive because Apache Tomcat is not shipped with the APM 10.x product but we only use org.mortbay.jasper:apache-jsp from the whole Apache Tomcat (in the Jetty server). You can see org.mortbay.jasper:apache-jsp dependency from the OWASP dependency check or in any BlackDuck scan. The CVE-2024-52316 vulnerability is related to the custom authentication. Tomcat functionality in APM at all.
Note: All Tomcat's critical security vulnerabilities are false positives, we are not affected at all.
Feedback
