{"id":"USN-7525-2","summary":"Tomcat vulnerability","details":"USN-7525-1 fixed CVE-2025-24813 for tomcat9 in Ubuntu 22.04 LTS,\nUbuntu 20.04 LTS, and Ubuntu 18.04 LTS. This update fixes it for\ntomcat9 in Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.10. \nThese versions include only the tomcat library (libtomcat9-java)\nand not the full tomcat server stack.\n\nOriginal advisory details:\n\nIt was discovered that Apache Tomcat incorrectly implemented partial\nPUT functionality by replacing path separators with dots in temporary\nfiles. A remote attacker could possibly use this issue to access \nsensitive files, inject malicious content, or execute remote code.","modified":"2026-04-27T17:31:41.858045Z","published":"2025-05-26T11:41:03Z","related":["UBUNTU-CVE-2025-24813"],"upstream":["CVE-2025-24813","UBUNTU-CVE-2025-24813"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7525-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-24813"}],"affected":[{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/tomcat9@9.0.70-2ubuntu0.1+esm1?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.70-2ubuntu0.1+esm1"}]}],"versions":["9.0.70-1ubuntu1","9.0.70-2","9.0.70-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.70-2ubuntu0.1+esm1","binary_name":"libtomcat9-java"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7525-2.json","cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"id":"CVE-2025-24813","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.5"}