On Mon, Nov 24, 2025 at 10:53 AM Harri Pesonen via users
<[email protected]> wrote:
>
> No, we don't use org.apache.catalina.valves.rewrite.RewriteValve
> which means that we are not affected?
You are not affected.
> Still I don't understand how PUT could do this if our PUT does not manipulate
> files.
This also uses the default servlet PUT, which does write files where
you tell it to.
Rémy
> PUT is done by
> @PUT
> @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
>
> -Harri
>
> -----Original Message-----
> From: Mark Thomas <[email protected]>
> Sent: maanantai 24. marraskuuta 2025 11.29
> To: [email protected]
> Subject: Re: About CVE-2025-55752 - PUT to /WEB-INF/ or /META-INF/
>
> On 24/11/2025 08:54, Harri Pesonen via users wrote:
> > If we have restful application that implements PUT for JSON and XML, then
> > are we affected by this?
> > I don't understand how client could upload something to /WEB-INF/ or
> > /META-INF/ by PUT?
>
> Is the re-write valve enabled for that web application?
>
> If yes, do any of the rewrite rules rewrite one or more query parameters to
> the URL?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
