spring-boot-starter-web-1.5.1.RELEASE.jar: 122 vulnerabilities (highest severity is: 9.8) reachable #5
Description
Vulnerable Library - spring-boot-starter-web-1.5.1.RELEASE.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-31651 |  Critical |
9.8 | Not Defined | 0.4% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-24813 | Critical |
9.8 | Functional | 92.799995% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-50379 | Critical |
9.8 | Not Defined | 89.8% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2022-22965 | Critical |
9.8 | High | 94.4% | detected in multiple dependencies | Transitive | N/A* | ✅ |
|
| CVE-2020-9548 | Critical |
9.8 | Not Defined | 54.5% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-9547 | Critical |
9.8 | Not Defined | 50.1% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-9546 | Critical |
9.8 | Not Defined | 15.9% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-8840 | Critical |
9.8 | Not Defined | 84.799995% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-20330 | Critical |
9.8 | Not Defined | 11.4% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-17267 | Critical |
9.8 | Not Defined | 8.2% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-16943 | Critical |
9.8 | Not Defined | 13.9% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-16942 | Critical |
9.8 | Not Defined | 4.7% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-14893 | Critical |
9.8 | Not Defined | 2.0% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-14892 | Critical |
9.8 | Not Defined | 3.2% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-14540 | Critical |
9.8 | Not Defined | 31.8% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-14379 | Critical |
9.8 | Not Defined | 8.8% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2019-10202 | Critical |
9.8 | Not Defined | 2.1% | jackson-databind-2.8.6.jar | Transitive | 2.1.6.RELEASE | ✅ |
|
| CVE-2018-19360 | Critical |
9.8 | Not Defined | 2.0% | jackson-databind-2.8.6.jar | Transitive | 1.5.18.RELEASE | ✅ |
|
| CVE-2017-7525 | Critical |
9.8 | Not Defined | 93.6% | jackson-databind-2.8.6.jar | Transitive | 1.5.5.RELEASE | ✅ |
|
| CVE-2017-5929 | Critical |
9.8 | Not Defined | 12.9% | detected in multiple dependencies | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2017-15095 | Critical |
9.8 | Not Defined | 8.299999% | jackson-databind-2.8.6.jar | Transitive | 1.5.7.RELEASE | ✅ |
|
| CVE-2016-1000027 | Critical |
9.8 | Not Defined | 59.7% | spring-web-4.3.6.RELEASE.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2025-55754 | Critical |
9.6 | Not Defined | 0.1% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2020-11113 |  High |
8.8 | Not Defined | 29.800001% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-11112 | High |
8.8 | Not Defined | 1.4000001% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-11111 | High |
8.8 | Not Defined | 1.4000001% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-10969 | High |
8.8 | Not Defined | 1.4000001% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-10968 | High |
8.8 | Not Defined | 1.4000001% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-10673 | High |
8.8 | Not Defined | 72.7% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-10672 | High |
8.8 | Not Defined | 1.4000001% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2022-1471 | High |
8.3 | Functional | 84.4% | snakeyaml-1.21.jar | Transitive | 3.2.0 | ✅ |
|
| CVE-2024-22262 | High |
8.1 | Not Defined | 4.6% | spring-web-4.3.6.RELEASE.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2024-22259 | High |
8.1 | Not Defined | 34.2% | spring-web-4.3.6.RELEASE.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2024-22243 | High |
8.1 | Not Defined | 48.5% | spring-web-4.3.6.RELEASE.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2021-20190 | High |
8.1 | Not Defined | 4.3% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36189 | High |
8.1 | Not Defined | 30.5% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36188 | High |
8.1 | Not Defined | 52.399998% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36187 | High |
8.1 | Not Defined | 30.5% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36186 | High |
8.1 | Not Defined | 30.5% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36185 | High |
8.1 | Not Defined | 30.5% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36184 | High |
8.1 | Not Defined | 51.0% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36183 | High |
8.1 | Not Defined | 30.5% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36182 | High |
8.1 | Not Defined | 29.199999% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36181 | High |
8.1 | Not Defined | 29.199999% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36180 | High |
8.1 | Not Defined | 29.199999% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-36179 | High |
8.1 | Not Defined | 85.399994% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-24750 | High |
8.1 | Not Defined | 31.400002% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-24616 | High |
8.1 | Not Defined | 31.400002% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-14195 | High |
8.1 | Not Defined | 7.1000004% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-14062 | High |
8.1 | Not Defined | 10.5% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-14061 | High |
8.1 | Not Defined | 12.1% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-14060 | High |
8.1 | Not Defined | 15.099999% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2020-11620 | High |
8.1 | Not Defined | 2.2% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-11619 | High |
8.1 | Not Defined | 2.2% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2020-10650 | High |
8.1 | Not Defined | 31.099998% | jackson-databind-2.8.6.jar | Transitive | 2.2.0.RELEASE | ✅ |
|
| CVE-2022-27772 | High |
7.8 | Not Defined | 0.1% | spring-boot-1.5.1.RELEASE.jar | Transitive | 2.2.11.RELEASE | ✅ |
|
| WS-2022-0468 | High |
7.5 | Not Defined | jackson-core-2.8.6.jar | Transitive | 3.1.0 | ✅ |
|
|
| CVE-2025-52999 | High |
7.5 | Not Defined | 0.1% | jackson-core-2.8.6.jar | Transitive | 3.1.0 | ✅ |
|
| CVE-2025-48989 | High |
7.5 | Not Defined | 0.3% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-48988 | High |
7.5 | Not Defined | 0.4% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-41249 | High |
7.5 | Not Defined | 0.1% | spring-core-4.3.6.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-31650 | High |
7.5 | Not Defined | 7.0% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-38819 | High |
7.5 | Not Defined | 77.9% | spring-webmvc-4.3.6.RELEASE.jar | Transitive | 3.2.11 | ✅ |
|
| CVE-2024-38816 | High |
7.5 | Not Defined | 90.3% | spring-webmvc-4.3.6.RELEASE.jar | Transitive | 3.2.10 | ✅ |
|
| CVE-2024-34750 | High |
7.5 | Not Defined | 73.7% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-24549 | High |
7.5 | Not Defined | 86.1% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2023-46589 | High |
7.5 | Not Defined | 24.0% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2023-44487 | High |
7.5 | High | 90.9% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2023-28709 | High |
7.5 | Not Defined | 6.8% | tomcat-embed-core-8.5.85.jar | Transitive | 1.5.2.RELEASE | ✅ |
|
| CVE-2022-42004 | High |
7.5 | Not Defined | 1.6% | jackson-databind-2.8.6.jar | Transitive | 2.6.0 | ✅ |
|
| CVE-2022-42003 | High |
7.5 | Not Defined | 3.1% | jackson-databind-2.8.6.jar | Transitive | 2.6.0 | ✅ |
|
| CVE-2022-25857 | High |
7.5 | Not Defined | 2.4% | snakeyaml-1.21.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2020-36518 | High |
7.5 | Not Defined | 5.5% | jackson-databind-2.8.6.jar | Transitive | N/A* | ❌ |
|
| CVE-2019-14439 | High |
7.5 | Not Defined | 7.6% | jackson-databind-2.8.6.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2018-15756 | High |
7.5 | Not Defined | 23.5% | detected in multiple dependencies | Transitive | N/A* | ❌ |
|
| CVE-2018-1272 | High |
7.5 | Not Defined | 1.7% | spring-core-4.3.6.RELEASE.jar | Transitive | 1.5.11.RELEASE | ✅ |
|
| CVE-2018-11040 | High |
7.5 | Not Defined | 3.6% | detected in multiple dependencies | Transitive | 1.5.14.RELEASE | ✅ |
|
| CVE-2025-35036 | High |
7.3 | Not Defined | 0.2% | hibernate-validator-5.3.4.Final.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-22235 | High |
7.3 | Functional | 0.1% | spring-boot-1.5.1.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2023-6481 | High |
7.1 | Not Defined | 0.2% | logback-core-1.1.9.jar | Transitive | N/A* | ❌ |
|
| CVE-2023-6378 | High |
7.1 | Not Defined | 1.0% | logback-classic-1.1.9.jar | Transitive | 3.2.1 | ✅ |
|
| CVE-2024-12798 |  Medium |
6.6 | Not Defined | 0.3% | detected in multiple dependencies | Transitive | 4.0.0 | ✅ |
|
| CVE-2021-42550 | Medium |
6.6 | Not Defined | 3.8% | detected in multiple dependencies | Transitive | 2.5.8 | ✅ |
|
| CVE-2025-55668 | Medium |
6.5 | Not Defined | 0.1% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-49125 | Medium |
6.5 | Not Defined | 0.5% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-46701 | Medium |
6.5 | Not Defined | 0.1% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2023-20863 | Medium |
6.5 | Not Defined | 0.9% | spring-expression-4.3.6.RELEASE.jar | Transitive | 2.4.0 | ✅ |
|
| CVE-2023-20861 | Medium |
6.5 | Not Defined | 0.5% | spring-expression-4.3.6.RELEASE.jar | Transitive | 2.4.0 | ✅ |
|
| CVE-2022-38752 | Medium |
6.5 | Not Defined | 0.70000005% | snakeyaml-1.21.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2022-38751 | Medium |
6.5 | Not Defined | 1.2% | snakeyaml-1.21.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2022-38750 | Medium |
6.5 | Not Defined | 0.3% | snakeyaml-1.21.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2022-38749 | Medium |
6.5 | Not Defined | 1.2% | snakeyaml-1.21.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2022-22950 | Medium |
6.5 | Not Defined | 0.3% | spring-expression-4.3.6.RELEASE.jar | Transitive | 2.4.0 | ✅ |
|
| CVE-2020-5421 | Medium |
6.5 | Not Defined | 75.700005% | spring-web-4.3.6.RELEASE.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2024-23672 | Medium |
6.3 | Not Defined | 3.0% | tomcat-embed-websocket-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2023-41080 | Medium |
6.1 | Not Defined | 68.1% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2023-1932 | Medium |
6.1 | Not Defined | 0.4% | hibernate-validator-5.3.4.Final.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2025-41242 | Medium |
5.9 | Not Defined | 0.1% | spring-beans-4.3.6.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2023-42794 | Medium |
5.9 | Not Defined | 3.0% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2018-1271 | Medium |
5.9 | Not Defined | 33.3% | spring-webmvc-4.3.6.RELEASE.jar | Transitive | 1.5.11.RELEASE | ✅ |
|
| CVE-2018-11039 | Medium |
5.9 | Not Defined | 1.8% | spring-web-4.3.6.RELEASE.jar | Transitive | 1.5.14.RELEASE | ✅ |
|
| CVE-2022-41854 | Medium |
5.8 | Not Defined | 1.0% | snakeyaml-1.21.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2025-61795 | Medium |
5.3 | Not Defined | 0.1% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-38828 | Medium |
5.3 | Not Defined | 0.3% | spring-webmvc-4.3.6.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-38809 | Medium |
5.3 | Not Defined | 0.3% | spring-web-4.3.6.RELEASE.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2023-45648 | Medium |
5.3 | Not Defined | 4.0% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2023-42795 | Medium |
5.3 | Not Defined | 4.1% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2022-22970 | Medium |
5.3 | Not Defined | 0.9% | detected in multiple dependencies | Transitive | 2.4.0 | ✅ |
|
| CVE-2022-22968 | Medium |
5.3 | Not Defined | 49.3% | spring-context-4.3.6.RELEASE.jar | Transitive | 2.4.0 | ✅ |
|
| CVE-2020-10693 | Medium |
5.3 | Not Defined | 0.3% | hibernate-validator-5.3.4.Final.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2018-1199 | Medium |
5.3 | Not Defined | 1.5% | spring-core-4.3.6.RELEASE.jar | Transitive | 1.5.10.RELEASE | ✅ |
|
| CVE-2024-12801 | Medium |
4.4 | Not Defined | 0.1% | logback-core-1.1.9.jar | Transitive | 4.0.0 | ✅ |
|
| CVE-2024-38808 | Medium |
4.3 | Not Defined | 0.6% | spring-expression-4.3.6.RELEASE.jar | Transitive | 3.0.0 | ✅ |
|
| CVE-2023-28708 | Medium |
4.3 | Not Defined | 1.1% | tomcat-embed-core-8.5.85.jar | Transitive | 2.1.0.RELEASE | ✅ |
|
| CVE-2021-22096 | Medium |
4.3 | Not Defined | 0.2% | detected in multiple dependencies | Transitive | 2.4.0 | ✅ |
|
| CVE-2021-22060 | Medium |
4.3 | Not Defined | 0.1% | spring-core-4.3.6.RELEASE.jar | Transitive | 2.4.0 | ✅ |
|
| CVE-2025-49128 | Medium |
4.0 | Not Defined | 0.0% | jackson-core-2.8.6.jar | Transitive | N/A* | ❌ |
|
| CVE-2025-22233 |  Low |
3.1 | Not Defined | 0.1% | spring-context-4.3.6.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2024-38820 | Low |
3.1 | Not Defined | 0.3% | spring-context-4.3.6.RELEASE.jar | Transitive | 3.2.11 | ✅ |
|
| CVE-2023-20883 | High |
7.5 | Not Defined | 0.5% | spring-boot-autoconfigure-1.5.1.RELEASE.jar | Transitive | 2.5.15 | ✅ |
|
| CVE-2025-11226 | Medium |
6.9 | Not Defined | 0.0% | logback-core-1.1.9.jar | Transitive | 4.0.0 | ✅ |
|
| CVE-2023-24998 | High |
7.5 | Not Defined | 87.8% | tomcat-embed-core-8.5.85.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (3 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2025-31651
Vulnerable Library - tomcat-embed-core-8.5.85.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.85/tomcat-embed-core-8.5.85.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.1.RELEASE.jar
- ❌ tomcat-embed-core-8.5.85.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.1.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.apache.catalina.webresources.FileResource (Application)
-> org.apache.catalina.core.StandardContext (Extension)
-> ❌ org.joychou.config.TomcatFilterMemShell (Vulnerable Component)
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to versions 9.0.104, 10.1.40 or 11.0.6, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-04-28
URL: CVE-2025-31651
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3
Release Date: 2025-04-28
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:11.0.6,https://github.com/apache/tomcat.git - 10.0.40,https://github.com/apache/tomcat.git - 11.0.6,org.apache.tomcat:tomcat-catalina:11.0.6,org.apache.tomcat:tomcat-catalina:10.1.40,org.apache.tomcat.embed:tomcat-embed-core:9.0.104,https://github.com/apache/tomcat.git - 9.0.104,org.apache.tomcat:tomcat-catalina:9.0.104,org.apache.tomcat.embed:tomcat-embed-core:10.1.40
CVE-2025-24813
Vulnerable Library - tomcat-embed-core-8.5.85.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.85/tomcat-embed-core-8.5.85.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.1.RELEASE.jar
- ❌ tomcat-embed-core-8.5.85.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.1.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.apache.catalina.webresources.FileResource (Application)
-> org.apache.catalina.core.StandardContext (Extension)
-> ❌ org.joychou.config.TomcatFilterMemShell (Vulnerable Component)
Vulnerability Details
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-10
URL: CVE-2025-24813
Threat Assessment
Exploit Maturity: Functional
EPSS: 92.799995%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Release Date: 2025-03-10
Fix Resolution: org.apache.tomcat:tomcat-catalina:11.0.3,org.apache.tomcat.embed:tomcat-embed-core:11.0.3,org.apache.tomcat.embed:tomcat-embed-core:9.0.99,https://github.com/apache/tomcat.git - 11.0.3,org.apache.tomcat:tomcat-catalina:9.0.99,org.apache.tomcat.embed:tomcat-embed-core:10.1.35,https://github.com/apache/tomcat.git - 9.0.99,org.apache.tomcat:tomcat-catalina:10.1.35,https://github.com/apache/tomcat.git - 10.1.35
CVE-2024-50379
Vulnerable Library - tomcat-embed-core-8.5.85.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.85/tomcat-embed-core-8.5.85.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.1.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.1.RELEASE.jar
- ❌ tomcat-embed-core-8.5.85.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.1.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.apache.coyote.CompressionConfig (Application)
-> org.apache.coyote.http11.Http11Protocol (Extension)
-> org.apache.catalina.core.StandardService (Extension)
-> org.apache.catalina.deploy.NamingResourcesImpl (Extension)
-> org.apache.catalina.core.StandardContext (Extension)
-> ❌ org.joychou.config.TomcatFilterMemShell (Vulnerable Component)
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-17
URL: CVE-2024-50379
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 89.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution: org.apache.tomcat:tomcat-catalina:9.0.98,10.1.34,11.0.2, org.apache.tomcat.embed:tomcat-embed-core:9.0.98,10.1.34,11.0.2
⛑️Automatic Remediation will be attempted for this issue.