[midPoint] Security Advisory: Potential Tomcat RCE Vulnerability (CVE-2025-24813)

[Tony Tkacik]

Date: 18. 03. 2025 


Severity: 6.3 (High) 

Affected versions: All midPoint versions prior to 4.8.7, 4.9.2 

Fixed in versions: 4.8.7, 4.9.2 




Description 

An attacker may exploit vulnerablity CVE-2025-24813 if writes for the default servlet are enabled (this is disabled by default in midPoint). 

Attacker may inject content to files uploaded using Tomcat (midPoint uses Wicket upload instead of Tomcat) and may try deserialization attack using file based session persistance. 




Severity and Impact 

This is High Severity Issue. 

The attacker may be able to create / modify Tomcat uploads on midPoint servers when custom Tomcat configuration is used. 




Mitigation 

Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases. 

If it is not possible, verify that your Tomcat configuration override does not enable writes for default server. This is usually achieved by modifying application.yml. 




This advisory is also available at [ https://docs.evolveum.com/midpoint/security/advisories/026-potential-tomcat-rce-vulnerability/ | https://docs.evolveum.com/midpoint/security/advisories/026-potential-tomcat-rce-vulnerability/ ] 


-- 
Anton Tkáčik
Software Developer
evolveum.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250318/98bc7516/attachment.htm>