9.1

CVE-2025-66614

Improper Input Validation vulnerability.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.

The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI 
extension was the same as the host name provided in the HTTP host header 
field. If Tomcat was configured with more than one virtual host and the 
TLS configuration for one of those hosts did not require client 
certificate authentication but another one did, it was possible for a 
client to bypass the client certificate authentication by sending 
different host names in the SNI extension and the HTTP host header field.



The vulnerability only applies if client certificate authentication is 
only enforced at the Connector. It does not apply if client certificate 
authentication is enforced at the web application.


Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version >= 9.0.1 < 9.0.113
ApacheTomcat Version >= 10.1.1 < 10.1.50
ApacheTomcat Version >= 11.0.1 < 11.0.15
ApacheTomcat Version9.0.0 Updatemilestone1
ApacheTomcat Version9.0.0 Updatemilestone10
ApacheTomcat Version9.0.0 Updatemilestone11
ApacheTomcat Version9.0.0 Updatemilestone12
ApacheTomcat Version9.0.0 Updatemilestone13
ApacheTomcat Version9.0.0 Updatemilestone14
ApacheTomcat Version9.0.0 Updatemilestone15
ApacheTomcat Version9.0.0 Updatemilestone16
ApacheTomcat Version9.0.0 Updatemilestone17
ApacheTomcat Version9.0.0 Updatemilestone18
ApacheTomcat Version9.0.0 Updatemilestone19
ApacheTomcat Version9.0.0 Updatemilestone2
ApacheTomcat Version9.0.0 Updatemilestone20
ApacheTomcat Version9.0.0 Updatemilestone21
ApacheTomcat Version9.0.0 Updatemilestone22
ApacheTomcat Version9.0.0 Updatemilestone23
ApacheTomcat Version9.0.0 Updatemilestone24
ApacheTomcat Version9.0.0 Updatemilestone25
ApacheTomcat Version9.0.0 Updatemilestone26
ApacheTomcat Version9.0.0 Updatemilestone27
ApacheTomcat Version9.0.0 Updatemilestone3
ApacheTomcat Version9.0.0 Updatemilestone4
ApacheTomcat Version9.0.0 Updatemilestone5
ApacheTomcat Version9.0.0 Updatemilestone6
ApacheTomcat Version9.0.0 Updatemilestone7
ApacheTomcat Version9.0.0 Updatemilestone8
ApacheTomcat Version9.0.0 Updatemilestone9
ApacheTomcat Version10.1.0 Updatemilestone1
ApacheTomcat Version10.1.0 Updatemilestone10
ApacheTomcat Version10.1.0 Updatemilestone11
ApacheTomcat Version10.1.0 Updatemilestone12
ApacheTomcat Version10.1.0 Updatemilestone13
ApacheTomcat Version10.1.0 Updatemilestone14
ApacheTomcat Version10.1.0 Updatemilestone15
ApacheTomcat Version10.1.0 Updatemilestone16
ApacheTomcat Version10.1.0 Updatemilestone17
ApacheTomcat Version10.1.0 Updatemilestone18
ApacheTomcat Version10.1.0 Updatemilestone19
ApacheTomcat Version10.1.0 Updatemilestone2
ApacheTomcat Version10.1.0 Updatemilestone20
ApacheTomcat Version10.1.0 Updatemilestone3
ApacheTomcat Version10.1.0 Updatemilestone4
ApacheTomcat Version10.1.0 Updatemilestone5
ApacheTomcat Version10.1.0 Updatemilestone6
ApacheTomcat Version10.1.0 Updatemilestone7
ApacheTomcat Version10.1.0 Updatemilestone8
ApacheTomcat Version10.1.0 Updatemilestone9
ApacheTomcat Version11.0.0 Updatemilestone1
ApacheTomcat Version11.0.0 Updatemilestone10
ApacheTomcat Version11.0.0 Updatemilestone11
ApacheTomcat Version11.0.0 Updatemilestone12
ApacheTomcat Version11.0.0 Updatemilestone13
ApacheTomcat Version11.0.0 Updatemilestone14
ApacheTomcat Version11.0.0 Updatemilestone15
ApacheTomcat Version11.0.0 Updatemilestone16
ApacheTomcat Version11.0.0 Updatemilestone17
ApacheTomcat Version11.0.0 Updatemilestone18
ApacheTomcat Version11.0.0 Updatemilestone19
ApacheTomcat Version11.0.0 Updatemilestone2
ApacheTomcat Version11.0.0 Updatemilestone20
ApacheTomcat Version11.0.0 Updatemilestone21
ApacheTomcat Version11.0.0 Updatemilestone22
ApacheTomcat Version11.0.0 Updatemilestone23
ApacheTomcat Version11.0.0 Updatemilestone24
ApacheTomcat Version11.0.0 Updatemilestone25
ApacheTomcat Version11.0.0 Updatemilestone26
ApacheTomcat Version11.0.0 Updatemilestone3
ApacheTomcat Version11.0.0 Updatemilestone4
ApacheTomcat Version11.0.0 Updatemilestone5
ApacheTomcat Version11.0.0 Updatemilestone6
ApacheTomcat Version11.0.0 Updatemilestone7
ApacheTomcat Version11.0.0 Updatemilestone8
ApacheTomcat Version11.0.0 Updatemilestone9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.132
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.6 2.8 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.