CVE-2025-49124

{"id": "CVE-2025-49124", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}]}, "published": "2025-06-16T15:15:24.707", "references": [{"url": "https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/16/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109.\n\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue."}, {"lang": "es", "value": "Vulnerabilidad de ruta de b\u00fasqueda no confiable en el instalador de Apache Tomcat para Windows. Durante la instalaci\u00f3n, el instalador de Tomcat para Windows utiliz\u00f3 icacls.exe sin especificar una ruta completa. Este problema afecta a Apache Tomcat: de 11.0.0-M1 a 11.0.7, de 10.1.0 a 10.1.41, y de 9.0.23 a 9.0.105. Se recomienda actualizar a las versiones 11.0.8, 10.1.42 o 9.0.106, que solucionan el problema."}], "lastModified": "2025-08-08T12:15:28.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75453702-175A-473F-8F94-5B37BC6AE150", "versionEndExcluding": "9.0.106", "versionStartIncluding": "9.0.23"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "573ACC55-1E48-4489-A269-12C1A4501DDA", "versionEndExcluding": "10.1.42", "versionStartIncluding": "10.1.0"}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE393E87-D325-4ABB-B49C-5863ECD3DD83", "versionEndExcluding": "11.0.8", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}