Published
Last updated
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: -Â writes enabled for the default servlet (disabled by default)
If all of the following were true, a malicious user was able to perform remote code execution:
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.