GHSA-h2fw-rfh5-95r3

Suggest an improvement
Source
https://github.com/advisories/GHSA-h2fw-rfh5-95r3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h2fw-rfh5-95r3
Aliases
Related
Published
2025-05-29T21:31:37Z
Modified
2025-06-02T09:41:52.883421Z
Severity
  • 1.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear CVSS Calculator
Summary
Apache Tomcat - CGI security constraint bypass
Details

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.

Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Database specific 
{
    "nvd_published_at": "2025-05-29T19:15:27Z",
    "cwe_ids": [
        "CWE-178"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T22:37:21Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.105

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80
9.0.81
9.0.82
9.0.83
9.0.84
9.0.85
9.0.86
9.0.87
9.0.88
9.0.89
9.0.90
9.0.91
9.0.93
9.0.94
9.0.95
9.0.96
9.0.97
9.0.98
9.0.99
9.0.100
9.0.102
9.0.104

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.41

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.9
10.1.10
10.1.11
10.1.12
10.1.13
10.1.14
10.1.15
10.1.16
10.1.17
10.1.18
10.1.19
10.1.20
10.1.23
10.1.24
10.1.25
10.1.26
10.1.28
10.1.29
10.1.30
10.1.31
10.1.33
10.1.34
10.1.35
10.1.36
10.1.39
10.1.40

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-M1
Fixed
11.0.7

Affected versions

11.*

11.0.0-M1
11.0.0-M3
11.0.0-M4
11.0.0-M5
11.0.0-M6
11.0.0-M7
11.0.0-M9
11.0.0-M10
11.0.0-M11
11.0.0-M12
11.0.0-M13
11.0.0-M14
11.0.0-M15
11.0.0-M16
11.0.0-M17
11.0.0-M18
11.0.0-M19
11.0.0-M20
11.0.0-M21
11.0.0-M22
11.0.0-M24
11.0.0-M25
11.0.0-M26
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.M1
Fixed
9.0.105

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80
9.0.81
9.0.82
9.0.83
9.0.84
9.0.85
9.0.86
9.0.87
9.0.88
9.0.89
9.0.90
9.0.91
9.0.93
9.0.94
9.0.95
9.0.96
9.0.97
9.0.98
9.0.99
9.0.100
9.0.102
9.0.104

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.41

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.9
10.1.10
10.1.11
10.1.12
10.1.13
10.1.14
10.1.15
10.1.16
10.1.17
10.1.18
10.1.19
10.1.20
10.1.23
10.1.24
10.1.25
10.1.26
10.1.28
10.1.29
10.1.30
10.1.31
10.1.33
10.1.34
10.1.35
10.1.36
10.1.39
10.1.40

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-M1
Fixed
11.0.7

Affected versions

11.*

11.0.0-M1
11.0.0-M3
11.0.0-M4
11.0.0-M5
11.0.0-M6
11.0.0-M7
11.0.0-M9
11.0.0-M10
11.0.0-M11
11.0.0-M12
11.0.0-M13
11.0.0-M14
11.0.0-M15
11.0.0-M16
11.0.0-M17
11.0.0-M18
11.0.0-M19
11.0.0-M20
11.0.0-M21
11.0.0-M22
11.0.0-M24
11.0.0-M25
11.0.0-M26
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6