Primary

Context

Apache Tomcat Rewrite Valve Rule Bypass Vulnerability

Vulnerability

A vulnerability allowing the bypass of certain rewrite rules in Apache Tomcat has been identified. This issue arises from improper handling of escape, meta, or control sequences. It affects Apache Tomcat versions 11.0.0-M1 through 11.0.5, 10.1.0-M1 through 10.1.39, and 9.0.0.M1 through 9.0.102. The vulnerability is relevant for a specific subset of unlikely rewrite rule configurations, where a specially crafted request could evade some rewrite rules. If the bypassed rules were enforcing security constraints, those constraints could be circumvented.

Impact

Exploitation of this vulnerability could lead to the bypass of security constraints enforced by certain rewrite rules, potentially allowing unauthorized access or actions that should be restricted.

Remediation

Users are advised to upgrade to Apache Tomcat versions 11.0.6, 10.1.41, or 9.0.105, all of which address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Rewrite Valve Rule Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating