关联漏洞
标题:
Apache Tomcat 环境问题漏洞
(CVE-2025-24813)
描述:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。
描述
POC for CVE-2025-24813 using Spring-Boot
介绍
# CVE-2025-24813: Apache
## 1. Explanation
Tomcat is vulnerable because of two separate vulnerabilities, the first is a weakness in the DefaultServlet which allows partial puts to write a temp directory
see:
https://github.com/apache/tomcat/blob/f2a274bc00cf73670a614999561c69a391b5e35f/java/org/apache/catalina/servlets/DefaultServlet.java#L608
The second is the FileStore class, which deserializes any .session file in the temp directory
see:
https://github.com/apache/tomcat/blob/05a72ef525e41835aaf5ce3d04122970f4aa8c21/java/org/apache/catalina/session/FileStore.java#L202
## 2. Vulnerable Tomcat Configuration
The application uses Tomcat 10.1.24 (included in Spring-Boot 3.3.0), which is vulnerable to CVE-2025-24813, and configures it with:
- File-based session persistence using `PersistentManager` and `FileStore`
- Re-enable the defaultServlet(`server.servlet.register-default-servlet=true`)
- Read-only mode disabled for the default servlet (`readonly=false`)
## 3. Nuclei Template command
See template: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24813.yaml
cooldown period 60 seconds is needed since it takes a while before the Filestore handler picks up the session file and executes the payload:
`nuclei -target http://localhost:8080/ -t http/cves/2025/CVE-2025-24813.yaml -interactions-cooldown-period 60 -v`
文件快照
[4.0K] /data/pocs/8f58330dd223ac2f658c4a2a25db583aba632b73
├── [ 10K] mvnw
├── [6.9K] mvnw.cmd
├── [1.6K] pom.xml
├── [1.3K] README.md
└── [4.0K] src
├── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] com
│ │ └── [4.0K] example
│ │ └── [4.0K] tomcatcve202524813
│ │ ├── [1.1K] ServletConfig.java
│ │ ├── [2.0K] TomcatConfiguration.java
│ │ ├── [ 359] TomcatCve202524813Application.java
│ │ └── [ 498] WebConfiguration.java
│ └── [4.0K] resources
│ └── [ 575] application.properties
└── [4.0K] test
└── [4.0K] java
└── [4.0K] com
└── [4.0K] example
└── [4.0K] tomcatcve202524813
└── [ 243] TomcatCve202524813ApplicationTests.java
12 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。