CVE-2024-50379

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
TOCTOU
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
10.1.34-0+deb12u2
fixed
bookworm (security)
10.1.34-0+deb12u2
fixed
sid
10.1.40-1
fixed
trixie
10.1.40-1
fixed
tomcat9
bullseye
vulnerable
bullseye (security)
9.0.43-2~deb11u12
fixed
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat10
plucky
not-affected
oracular
needed
noble
needed
jammy
dne
focal
dne
tomcat6
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
needs-triage
trusty
needs-triage
tomcat7
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
tomcat8
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
tomcat9
plucky
needed
oracular
needed
noble
needed
jammy
needed
focal
needed
bionic
needed
Common Weakness Enumeration
References
https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
http://www.openwall.com/lists/oss-security/2024/12/17/4
http://www.openwall.com/lists/oss-security/2024/12/18/2
https://security.netapp.com/advisory/ntap-20250103-0003/