Improper Handling of Case Sensitivity in org.apache.tomcat.embed:tomcat-embed-core

CVE-2025-46701

org.apache.tomcat.embed:tomcat-embed-core
org.apache.tomcat:tomcat-catalina

High

7.3/10

Summary

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the "pathInfo" component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat versions 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-178 - Improper Handling of Case Sensitivity

The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

References

Advisory Timeline

Published May 29, 2025

Improper Handling of Case Sensitivity in org.apache.tomcat.embed:tomcat-embed-core

CVE-2025-46701

Summary

CWE-178 - Improper Handling of Case Sensitivity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS