Publication date: 20 August 2025

Publication date: 20 August 2025
Publication date: 20 August 2025
Overview: Several security issues were fixed in Tomcat.
Releases: 25.04 ,24.04 LTS

Packages
tomcat10 - Servlet and JSP engine

Details
It was discovered that Tomcat did not correctly handle case sensitivity.
An attacker could possibly use this issue to bypass authentication
mechanisms. (CVE-2025-46701)

Elysee Franchuk discovered that Tomcat did not correctly limit the number
of attributes for a session. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS.
(CVE-2024-54677)

It was discovered that Tomcat did not correctly sanitize certain URLs. An
attacker could possibly use this issue to bypass authentication
mechanisms. (CVE-2025-31651)

It was discovered that Tomcat did not correctly handle certain malformed
HTTP headers,
which could lead to a memory leak. An attacker could possibly use this
issue to cause a denial of service. This issue only affected
Ubuntu 24.04 LTS. (CVE-2025-31650)

It was discovered that Tomcat did not correctly handle concurrent
operations under certain circumstances. An attacker could possibly use
this issue to execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-50379)

It was discovered that Tomcat did not correctly handle certain
authentication errors. An attacker could possibly use this issue to
bypass authentication mechanisms. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-52316)

Update instructions
The problem can be corrected by updating your system to the following package versions:

25.04 plucky

• libtomcat10-java – 10.1.35-1ubuntu0.1
• tomcat10 – 10.1.35-1ubuntu0.1

24.04 noble

• libtomcat10-java – 10.1.16-1ubuntu0.1~esm3
• tomcat10 – 10.1.16-1ubuntu0.1~esm3