Logo

Menu

Apache Tomcat 远程代码执行漏洞(CVE-2025-24813)

Tch
Tch
Published on 2025-04-06 / 27 Visits
1
0
#日常记录

1. 漏洞通知

CVE-2025-24813是什么?

https://nvd.nist.gov/vuln/detail/CVE-2025-24813

对漏洞的描述

Path Equivalence: ‘file.Name’ (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat’s file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

CVE-2025-24813Apache Tomcat中存在的一个路径等效性漏洞,在特定配置下可能导致远程代码执行(RCE)、信息泄露或恶意内容注入。该漏洞源于默认Servlet在处理文件名中的内部点(‘.’)时存在缺陷,当启用部分PUT操作时,攻击者可利用路径等效性问题绕过安全限制。

触发条件

信息泄露/内容注入需要同时满足:

  • 默认Servlet启用了写权限(默认禁用)

  • 启用了部分PUT支持(默认启用)

  • 存在安全敏感文件的上传路径是公开上传路径的子目录

  • 攻击者知道安全敏感文件的名称

  • 安全敏感文件也通过部分PUT方式上传

远程代码执行需要同时满足:

  • 默认Servlet启用了写权限(默认禁用)

  • 启用了部分PUT支持(默认启用)

  • 应用使用Tomcat基于文件的会话持久化功能,且使用默认存储位置

  • 应用中包含可被反序列化攻击利用的库

漏洞危害

  • 信息泄露:查看服务器上的敏感文件

  • 内容注入:向上传的文件中注入恶意内容

  • 远程代码执行:通过反序列化攻击在服务器上执行任意代码

受影响版本

  • Apache Tomcat 11.0.0-M1 至 11.0.2

  • Apache Tomcat 10.1.0-M1 至 10.1.34

  • Apache Tomcat 9.0.0.M1 至 9.0.98

官方已发布修复版本:

  • 升级到Tomcat 11.0.3

  • 升级到Tomcat 10.1.35

  • 升级到Tomcat 9.0.99

CVE-2025-24813复现可参考👇🏻。

https://forum.butian.net/article/674https://blog.csdn.net/weixin_42773448/article/details/146199296

2. 项目自检

知道了该漏洞是什么了,来看下项目。tomcat版本是10.1.34,刚好在受影响的范围内。

项目当前使用的spring-boot-starter-tomcat版本是3.3.7。

3. 解决

升级

修改springboot的版本

pom.xml

<properties>
    <spring-boot.version>3.3.9</spring-boot.version>
</properties>

以上。

出去玩 - 哈尔滨
三月 - 不出太阳的日子也太多了

Comment