False finding for CVE-2025-41242

fdevans · fdevans · commit 1f72fdeff02b · 2025-08-27T14:04:44.000-07:00
diff --git a/docs/history/cves/CVE-2025-41242.md b/docs/history/cves/CVE-2025-41242.md
@@ -0,0 +1,13 @@
+---
+order: 51
+---
+
+# CVE-2025-41242
+
+## Path traversal vulnerability on non-compliant Servlet containers
+
+::: danger FALSE POSITIVE
+ Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+This is a Spring vulnerability, but the [CVE article](https://spring.io/security/cve-2025-41242) says "deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration."  The Rundeck product does not disable disable the default security features.
diff --git a/docs/history/cves/CVE-2025-48924.md b/docs/history/cves/CVE-2025-48924.md
@@ -1,5 +1,5 @@
 ---
-order: 51
+order: 52
 ---
 
 # CVE-2025-48924
