PT-2025-45666 — Untrusted Search Path in Maven Org.Apache.Tomcat.Embed:Tomcat-Embed-Core+2

PT-2025-45666 · Maven · Org.Apache.Tomcat.Embed:Tomcat-Embed-Core+2

Published

2025-06-16

Updated

2025-06-16

CVSS v4.0

4.8

Medium

Vector

AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Fix

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-426

Related Identifiers

GHSA-42WG-HM62-JCWG

Affected Products

Org.Apache.Tomcat.Embed:Tomcat-Embed-Core

Org.Apache.Tomcat:Tomcat

Org.Apache.Tomcat:Tomcat-Catalina

PT-2025-45666 · Maven · Org.Apache.Tomcat.Embed:Tomcat-Embed-Core+2

Weakness Enumeration

Related Identifiers

Affected Products

References · 11