ALAS2023-2025-1031

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1031
Advisory Released Date: 2025-06-23
Advisory Updated Date: 2025-06-23

Severity: Medium

References: CVE-2025-46701
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.

Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. (CVE-2025-46701)

Affected Packages:

tomcat10

Issue Correction:
Run dnf update tomcat10 --releasever 2023.7.20250623 to update your system.

New Packages:

noarch:
    tomcat10-docs-webapp-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-webapps-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-servlet-6.0-api-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-el-5.0-api-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-admin-webapps-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-jsp-3.1-api-10.1.41-1.amzn2023.0.1.noarch
    tomcat10-lib-10.1.41-1.amzn2023.0.1.noarch

src:
    tomcat10-10.1.41-1.amzn2023.0.1.src

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-46701

Mitre: CVE-2025-46701