1. Ubuntu Security Notices
  2. USN-7705-1

USN-7705-1: Tomcat vulnerabilities

Publication date

20 August 2025

Overview

Several security issues were fixed in Tomcat.

Releases

Packages

Details

It was discovered that Tomcat did not correctly handle case sensitivity.
An attacker could possibly use this issue to bypass authentication
mechanisms. (CVE-2025-46701)

Elysee Franchuk discovered that Tomcat did not correctly limit the number
of attributes for a session. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS.
(CVE-2024-54677)

It was discovered that Tomcat did not correctly sanitize certain URLs. An
attacker could possibly use this issue to bypass authentication
mechanisms. (CVE-2025-31651)

It was discovered that Tomcat did not correctly handle certain malformed
HTTP headers,
which could lead to a memory leak. An attacker could possibly use this
issue to cause a denial of service. This issue only affected
Ubuntu 24.04 LTS. (

It was discovered that Tomcat did not correctly handle case sensitivity.
An attacker could possibly use this issue to bypass authentication
mechanisms. (CVE-2025-46701)

Elysee Franchuk discovered that Tomcat did not correctly limit the number
of attributes for a session. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS.
(CVE-2024-54677)

It was discovered that Tomcat did not correctly sanitize certain URLs. An
attacker could possibly use this issue to bypass authentication
mechanisms. (CVE-2025-31651)

It was discovered that Tomcat did not correctly handle certain malformed
HTTP headers,
which could lead to a memory leak. An attacker could possibly use this
issue to cause a denial of service. This issue only affected
Ubuntu 24.04 LTS. (CVE-2025-31650)

It was discovered that Tomcat did not correctly handle concurrent
operations under certain circumstances. An attacker could possibly use
this issue to execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-50379)

It was discovered that Tomcat did not correctly handle certain
authentication errors. An attacker could possibly use this issue to
bypass authentication mechanisms. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-52316)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
25.04 plucky libtomcat10-java –  10.1.35-1ubuntu0.1
tomcat10 –  10.1.35-1ubuntu0.1
24.04 noble libtomcat10-java –  10.1.16-1ubuntu0.1~esm3  
tomcat10 –  10.1.16-1ubuntu0.1~esm3  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›