{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-24T10:17:31.559","vulnerabilities":[{"cve":{"id":"CVE-2025-49124","sourceIdentifier":"security@apache.org","published":"2025-06-16T15:15:24.707","lastModified":"2026-06-17T09:30:47.160","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.\n\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue."},{"lang":"es","value":"Vulnerabilidad de ruta de búsqueda no confiable en el instalador de Apache Tomcat para Windows. Durante la instalación, el instalador de Tomcat para Windows utilizó icacls.exe sin especificar una ruta completa. Este problema afecta a Apache Tomcat: de 11.0.0-M1 a 11.0.7, de 10.1.0 a 10.1.41, y de 9.0.23 a 9.0.105. Se recomienda actualizar a las versiones 11.0.8, 10.1.42 o 9.0.106, que solucionan el problema."}],"affected":[{"source":"security@apache.org","affectedData":[{"vendor":"Apache Software Foundation","product":"Apache Tomcat","defaultStatus":"unaffected","versions":[{"version":"11.0.0-M1","lessThanOrEqual":"11.0.7","versionType":"semver","status":"affected"},{"version":"10.1.0","lessThanOrEqual":"10.1.41","versionType":"semver","status":"affected"},{"version":"9.0.23","lessThanOrEqual":"9.0.105","versionType":"semver","status":"affected"},{"version":"8.5.44","lessThanOrEqual":"8.5.100","versionType":"semver","status":"affected"},{"version":"7.0.95","lessThanOrEqual":"7.0.109","versionType":"semver","status":"affected"},{"version":"10.0.0-M1","lessThanOrEqual":"10.0.27","versionType":"semver","status":"unknown"}]}]}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-06-17T14:03:41.847617Z","id":"CVE-2025-49124","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-426"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.23","versionEndExcluding":"9.0.106","matchCriteriaId":"75453702-175A-473F-8F94-5B37BC6AE150"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"10.1.0","versionEndExcluding":"10.1.42","matchCriteriaId":"573ACC55-1E48-4489-A269-12C1A4501DDA"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"11.0.0","versionEndExcluding":"11.0.8","matchCriteriaId":"EE393E87-D325-4ABB-B49C-5863ECD3DD83"}]}]}],"references":[{"url":"https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2025/06/16/3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}