Listen to this Post
This vulnerability in Apache Tomcat allows attackers to bypass security constraints for `PreResources` or `PostResources` when these resources are mounted at non-root paths. Due to incorrect path handling, an attacker can access these resources via an unintended URL, circumventing security restrictions. The issue arises because Tomcat fails to enforce security constraints on the alternate path, leaving sensitive resources exposed. Affected versions include Apache Tomcat 11.0.0-M1 to 11.0.7, 10.1.0-M1 to 10.1.41, and 9.0.0.M1 to 9.0.105. Patches are available in versions 11.0.8, 10.1.42, and 9.0.106.
DailyCVE Form
Platform: Apache Tomcat
Version: 9.0.0-105
Vulnerability: Constraint Bypass
Severity: Moderate
Date: Jun 16, 2025
Prediction: Patch by Jul 2025
What Undercode Say
curl -I http://vulnerable-tomcat/path/resource grep -r "PreResources" /conf/web.xml
How Exploit
- Craft malicious URL to access restricted resources.
- Bypass authentication via alternate path.
Protection from this CVE
- Upgrade to patched versions.
- Restrict resource access.
Impact
- Unauthorized data access.
- Security policy bypass.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
