CVE-2025-24813

[darkfader]

Hi,

this https://nvd.nist.gov/vuln/detail/CVE-2025-24813 CVE smells like it affects Zimbra, and importantly, across many generations of installations.
Could anyone comment on what they think the impact is?

NIST writes:
'Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.'

I can see that there was this fix to Zimbra's setup in 10.1.6 which is a most basic and long missing improvement, and should(!) be a small mitigation: 'Write access to /opt/zimbra/jetty/webapps has been restricted to enhance security and mitigate potential risks.' I'm grateful that these things are now being improved (like auditd policies, too), all of which will make it more secure _and_ improve troubleshooting.
As they speak about a default servlet, there's a chance that it doesn't exist in Zimbra's deployment/tomcat, thus i'm asking.
Back in my web ops days we would absolutely make sure no default applications or default databases etc. existed on systems, but I frankly don't know enough to tell what's happening in Zimbra.

[rainer_d]

Zimbra uses jetty.

[darkfader]

Thank you... I was too tired to keep the two apart. nice good news then

[smithingestimate]

Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are all impacted by this problem.

[siliconalchemy]

Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are all impacted by this problem.

.. which, again, has nothing to do with Zimbra.

[BradC]

Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are all impacted by this problem.

.. which, again, has nothing to do with Zimbra.

I wouldn't worry about it. That post is typical of a one hit new poster who will come back and post spam later. Take an old thread, get a google or "AI" summary of something that might sound vaguely relevant if you don't look closely at it and spew it into a thread. Usually it's a (very) late edit to include link spam. The edit doesn't trigger a notification or bump so it only gets discovered if someone stumbles across it later.

[Thomasfrank]

Hi,

this https://nvd.nist.gov/vuln/detail/CVE-2025-24813 CVE smells like it affects Zimbra, and importantly, across many generations of installations.
Could anyone comment on what they think the impact is?

NIST writes:
'Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.'

I can see that there was this fix to Zimbra's setup in 10.1.6 which is a most basic and long missing improvement, and should(!) be a small mitigation: 'Write access to /opt/zimbra/jetty/webapps has been restricted to enhance security and mitigate potential risks.' I'm grateful that these things are now being improved (like auditd policies, too), all of which will make it more secure _and_ improve troubleshooting.
As they speak about a default servlet, there's a chance that it doesn't exist in Zimbra's deployment/tomcat, thus i'm asking.
Back in my web ops days we would absolutely make sure no default applications or default databases etc. existed on systems, but I frankly don't know enough to tell what's happening in Zimbra.

Thanks for raising a very important point. Not everyone who uses Zimbra can audit their system themselves, so your sharing is really helpful. If you could develop a small tool or guide to check if the default servlet exists, or if the current patch handles it correctly, it would help the community a lot. I believe it is time to push for more transparency and configuration control in Zimbra.