Red Hat JBoss Web Server 6.2.0 is a security update that addresses three moderate-impact vulnerabilities in Apache Tomcat components bundled with the server. The fixed issues include a security constraint bypass for CGI scripts (CVE-2025-46701), session fixation vulnerability via the rewrite valve (CVE-2025-55668), and console manipulation (CVE-2025-55754). These vulnerabilities could potentially allow unauthorized actions related to web application security constraints, session management, and console operations. The update replaces the previous 6.1.3 release and is available for multiple Red Hat Enterprise Linux versions. Red Hat Product Security rates the overall impact as moderate and provides detailed release notes and errata for applying the update. No known exploits have been reported in the wild for these issues.

The vulnerabilities fixed in this release could allow attackers to bypass security constraints on CGI scripts, perform session fixation attacks via the rewrite valve, and manipulate the console, potentially undermining the security of hosted Java web applications. However, Red Hat rates the overall security impact as moderate. There are no known exploits in the wild at this time. The issues affect Red Hat JBoss Web Server 6.2.0 running on RHEL 8, 9, and 10.

Red Hat has released Red Hat JBoss Web Server 6.2.0 as a security update that addresses these vulnerabilities. Users should apply this update to replace version 6.1.3 and ensure all previously released errata relevant to their system are applied. Detailed instructions for applying the update are available in the Red Hat advisory and documentation. Since this is an official fix, applying the update is the recommended remediation. No additional mitigations are specified by the vendor.