tomcat10-10.1.42-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15302-1 Final 1 1 2025-07-03T00:00:00Z current 2025-07-03T00:00:00Z 2025-07-03T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tomcat10-10.1.42-1.1 on GA media These are all security issues fixed in the tomcat10-10.1.42-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15302 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-46701/ SUSE CVE CVE-2025-46701 page https://www.suse.com/security/cve/CVE-2025-48988/ SUSE CVE CVE-2025-48988 page https://www.suse.com/security/cve/CVE-2025-49125/ SUSE CVE CVE-2025-49125 page openSUSE Tumbleweed tomcat10-10.1.42-1.1 tomcat10-admin-webapps-10.1.42-1.1 tomcat10-doc-10.1.42-1.1 tomcat10-docs-webapp-10.1.42-1.1 tomcat10-el-5_0-api-10.1.42-1.1 tomcat10-embed-10.1.42-1.1 tomcat10-jsp-3_1-api-10.1.42-1.1 tomcat10-jsvc-10.1.42-1.1 tomcat10-lib-10.1.42-1.1 tomcat10-servlet-6_0-api-10.1.42-1.1 tomcat10-webapps-10.1.42-1.1 tomcat10-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-admin-webapps-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-doc-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-docs-webapp-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-el-5_0-api-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-embed-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-jsp-3_1-api-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-jsvc-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-lib-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-servlet-6_0-api-10.1.42-1.1 as a component of openSUSE Tumbleweed tomcat10-webapps-10.1.42-1.1 as a component of openSUSE Tumbleweed Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. CVE-2025-46701 openSUSE Tumbleweed:tomcat10-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-admin-webapps-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-doc-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-docs-webapp-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-el-5_0-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-embed-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-jsp-3_1-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-jsvc-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-lib-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-servlet-6_0-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-webapps-10.1.42-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-46701.html CVE-2025-46701 https://bugzilla.suse.com/1243815 SUSE Bug 1243815 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. CVE-2025-48988 openSUSE Tumbleweed:tomcat10-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-admin-webapps-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-doc-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-docs-webapp-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-el-5_0-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-embed-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-jsp-3_1-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-jsvc-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-lib-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-servlet-6_0-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-webapps-10.1.42-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48988.html CVE-2025-48988 https://bugzilla.suse.com/1244656 SUSE Bug 1244656 Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. CVE-2025-49125 openSUSE Tumbleweed:tomcat10-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-admin-webapps-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-doc-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-docs-webapp-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-el-5_0-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-embed-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-jsp-3_1-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-jsvc-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-lib-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-servlet-6_0-api-10.1.42-1.1 openSUSE Tumbleweed:tomcat10-webapps-10.1.42-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-49125.html CVE-2025-49125 https://bugzilla.suse.com/1244649 SUSE Bug 1244649