AI description
CVE-2025-49124 is an Untrusted Search Path vulnerability that affects the Apache Tomcat installer for Windows. The vulnerability occurs because the installer uses `icacls.exe` without specifying the full path. This issue affects Apache Tomcat versions 11.0.0-M1 through 11.0.7, 10.1.0 through 10.1.41, and 9.0.23 through 9.0.105. To resolve this vulnerability, users are advised to upgrade to versions 11.0.8, 10.1.42, or 9.0.106, which include the necessary fix.
- Description
- Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
- Source
- security@apache.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 8.4
- Impact score
- 5.9
- Exploitability score
- 2.5
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security@apache.org
- CWE-426
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
25
[JVNVU#92268925] Apache Tomcatにおける複数の脆弱性(CVE-2025-49124、CVE-2025-49125) https://t.co/yS0pOPFwnw #jvn #脆弱性 #セキュリティ
@jpsecuritynews
18 Jun 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
JVN: Apache Tomcatにおける複数の脆弱性(CVE-2025-49124、CVE-2025-49125) https://t.co/nItYMZx043
@AileenWoodstock
18 Jun 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
統合版 JPCERT/CC | JVN: Apache Tomcatにおける複数の脆弱性(CVE-2025-49124、CVE-2025-49125) https://t.co/ND28P5Z1Yr #itsec_jp
@itsec_jp
18 Jun 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
JVNVU#92268925 Apache Tomcatにおける複数の脆弱性(CVE-2025-49124、CVE-2025-49125) https://t.co/w50IFOjRSj ご利用の方は早めのアップデートを。
@Syynya
17 Jun 2025
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#後で読む 用メモです→ JVNVU#92268925 Apache Tomcatにおける複数の脆弱性(CVE-2025-49124、CVE-2025-49125) https://t.co/8klbCDtb6y
@TommiyTw
17 Jun 2025
160 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[2025/06/17 17:45 公表] Apache Tomcatにおける複数の脆弱性(CVE-2025-49124、CVE-2025-49125) https://t.co/fkCeTp30MF
@jvnjp
17 Jun 2025
2466 Impressions
6 Retweets
7 Likes
0 Bookmarks
0 Replies
1 Quote
2025年6月16日、Apache Tomcatに重大な脆弱性が複数報告された。 CVE-2025-48976およびCVE-2025-48988は高深刻度のDoS攻撃を可能にし、CVE-2025-49124とCVE-2025-49125は認証回避や権限昇格の恐れがある。 影響範囲はTomcat 9.0.xから1
@yousukezan
17 Jun 2025
9081 Impressions
27 Retweets
85 Likes
36 Bookmarks
0 Replies
4 Quotes
Apache Tomcatで複数脆弱性が修正。DoS2件(CVE-2025-48976, CVE-2025-48988)、Windowsインストーラでのサイドローディング(CVE-2025-49124)、Pre/PostResourcesにおけるセキュリティ制約回避(CVE-2025-49125)。 https://t.co/3DJG9PvXp6
@__kokumoto
17 Jun 2025
1198 Impressions
2 Retweets
7 Likes
3 Bookmarks
0 Replies
0 Quotes
Apache Tomcat CVE-2025-48988: FileUpload large number of parts with headers DoS https://t.co/CJMnlUeEkH CVE-2025-49125: Security constraint bypass for pre/post-resources https://t.co/Xf5vlsRQVv CVE-2025-49124: exe side-loading via icalcs.exe in installer https://t.co/q2MAFtMdux
@oss_security
17 Jun 2025
81 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
Apache Tomcat patched four vulnerabilities (CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, CVE-2025-49125) affecting versions 9.0, 10.1, and 11.0, ranging from DoS to privilege bypass. Update immediately. #ApacheTomcat #Vulnerability https://t.co/lNt1FXhZtO
@the_yellow_fall
17 Jun 2025
178 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49124 Untrusted Search Path Vulnerability in Apache Tomcat Windows Installer Versions https://t.co/IJi9bjV6DN
@VulmonFeeds
16 Jun 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49124 Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a… https://t.co/I3n6lrEvA8
@CVEnew
16 Jun 2025
390 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes