Zum Hauptinhalt springen

CVE-2025-24813: DMC probably not affected & patches

A vulnerability CVE-2025-24813 has been disclosed, affecting the Tomcat Web Application Server.

A version of Tomcat it is included in the INFOMOTION Data Management Center package and used for the containerized and standalone deployment options.

While the vulnerability is flagged as potentially having a critical impact, the published information lists very specific preconditions. Based on our understanding, the information disclosure and remote code execution scenarios depend (among others) on the following preconditions being met:

  • The Tomcat default servlet must be enabled
  • Additionally, it must be configured enable writes

Both of these are not given in the INFOMOTION Data Management Center:

  • The Tomcat Default Servlet is not enabled within DMC.
  • Also, the servlet is read-only by default unless explicitly configured otherwise, which DMC does not do.

Nonetheless, we will be releasing an updated version 2024.2.4 of Data Management Center shortly that includes a patched version of Apache Tomcat.

Please note that this patch only secures containerized or standalone DMC deployments. When deployed within a custom Tomcat installation, that installation should be patched as well.