Skip to main content
commvault.com commvault.com
Question

Tomcat Vulnerability CVSS 9.8!

  • August 25, 2025
  • 3 replies
  • 225 views
V
Byte
Forum|alt.badge.img+1

Hi, 

We are currently running Commvault 11.32.102 and we are affected by the following CVE's:
CVE-2025-48988
CVE-2024-54677
CVE-2025-49124
CVE-2025-46701
CVE-2024-50379
CVE-2024-56337
CVE-2025-31651
CVE-2025-49125
CVE-2025-24813
CVE-2025-53506
CVE-2024-52318
CVE-2025-52520
CVE-2025-31650

Support mentioned that the vulnerabilities does NOT affect Commvault.
But this version of Tomcat (10.1.31.0) is still vulnerable and is solved in version 10.1.42 which requires 11.42 (which is not a LTS version). 

How to solve it in current LTS versions (11.32, 11.36 or 11.40)?

 

3 replies

P
Vaulter
Forum|alt.badge.img+12
  • PradeepVaulter
  • Vaulter
  • August 26, 2025

Hi ​@Vjduuren ,

Kindly refer to the document below. Please note that Apache Tomcat version 10.1.42, which is an LTS release, is included as part of SP40.


https://documentation.commvault.com/v11/commcell-console/third_party_applications_installed_by_commvault_installer.html

 

 

D
Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+20

In most cases it really depends if you are actually vulnerable to a CVE if the actual method or capability is used by the application that is running as a web app. So, yes the scanner will say it is a vulnerable version, but it doesn't necessary mean you are at risk. Would be nice to get some understanding how Commvault monitors and assess the vulnerability state if their dependent libraries and frameworks to come to a decision if an update is required or not.

@Pradeep can we assume this Tomcat version is also brought to other LTS releases? 

B.t.w. used AI to examine each CVE and give back the fix version and date

CVE ID CVSS Score Summary Fix Version Fix Release DateTime
CVE-2025-31651 9.8 Improper Neutralization of Escape, Meta, or Control Sequences allows bypassing rewrite rules and security constraints. 11.0.6, 10.1.40, 9.0.104 2025-04-28 20:15:00
CVE-2025-24813 9.8 Path Equivalence vulnerability allows remote code execution and information disclosure. 11.0.3, 10.1.35, 9.0.99 2025-03-10 10:00:00
CVE-2024-56337 9.8 TOCTOU Race Condition during JSP compilation allows remote code execution. 11.0.3, 10.1.35, 9.0.99 2024-12-20 15:28:55
CVE-2024-50379 9.8 TOCTOU vulnerability permits remote code execution when default servlet is write-enabled. 11.0.2, 10.1.34, 9.0.98 2024-12-17 11:35:00
CVE-2025-49124 8.4 Untrusted Search Path in Windows installer due to use of icacls.exe without full path. 11.0.8, 10.1.42, 9.0.106 2025-06-16 15:15:25
CVE-2025-49125 7.5 Authentication Bypass using PreResources or PostResources mounted outside root. 11.0.8, 10.1.42, 9.0.106 2025-06-16 15:15:25
CVE-2025-53506 7.5 Uncontrolled Resource Consumption when HTTP/2 client fails to acknowledge settings frame. 11.0.9, 10.1.43, 9.0.107 2025-07-10 19:14:23
CVE-2025-48988 7.5 Allocation of Resources Without Limits during multipart uploads allows denial of service. 11.0.8, 10.1.42, 9.0.106 2025-06-16 15:15:25
CVE-2025-46701 7.3 Improper Handling of Case Sensitivity in CGI servlet allows bypassing security constraints. 11.0.7, 10.1.41, 9.0.105 2025-05-29 19:15:00
CVE-2024-54677 5.3 Uncontrolled Resource Consumption in examples web application leads to denial of service. 11.0.2, 10.1.34, 9.0.98 2024-12-17 08:15:18
dude
D
Sougato Roy
P
Vaulter
Forum|alt.badge.img+12
  • PradeepVaulter
  • Vaulter
  • August 29, 2025

Hi ​@Onno van den Berg ,

The latest Tomcat version is also part of remaining new LTS version.

Onno van den Berg
Terms & ConditionsCookie settingsAccessibility statement