Deserialization of Untrusted Data

Summary

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write-enabled Default Servlet in Apache Tomcat.This issue affects Apache Tomcat: through version 9.0.98, 10.1.0-M1 through 10.1.34, 11.0.0-M1 through 11.0.2. If all of the following were true, a malicious user was able to view security-sensitive files and/or inject content into those files: writes enabled for the default servlet (disabled by default), support for partial PUT (enabled by default), a target URL for security-sensitive uploads that was a subdirectory of a target URL for public uploads, attacker knowledge of the names of security-sensitive files being uploaded, the security sensitive files also being uploaded via partial PUT. If all of the following were true, a malicious user was able to perform remote code execution: writes enabled for the default servlet (disabled by default), support for partial PUT (enabled by default), application was using Tomcat's file-based session persistence with the default storage location, application included a library that may be leveraged in a deserialization attack. Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.