| Package | tomcat9 |
|---|---|
| Version | 9.0.31-1~deb10u14 (buster) |
| Related CVEs | CVE-2025-24813 |
It was found that a malicious user was able to view security sensitive files and/or inject content into those files when writes were enabled for the default servlet (disabled by default) and support for partial PUT was enabled (default). Under certain circumstances, depending on the application in use, remote code execution may have been possible.
For Debian 10 buster, these problems have been fixed in version 9.0.31-1~deb10u14.
We recommend that you upgrade your tomcat9 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.