CVE Vulnerabilities

CVE-2024-50379

Time-of-check Time-of-use (TOCTOU) Race Condition

Published: Dec 17, 2024 | Modified: Jan 03, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.1 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

Affected Software

Name Vendor Start Version End Version
Red Hat Enterprise Linux 8 RedHat tomcat-1:9.0.87-1.el8_10.3 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat tomcat-1:9.0.87-1.el8_8.4 *
Red Hat Enterprise Linux 9 RedHat tomcat-1:9.0.87-2.el9_5.1 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat pki-servlet-engine-1:9.0.50-1.el9_2.2 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat tomcat-1:9.0.87-1.el9_2.3 *
Red Hat Enterprise Linux 9.4 Extended Update Support RedHat tomcat-1:9.0.87-1.el9_4.3 *
Red Hat JBoss Web Server 5 RedHat tomcat *
Red Hat JBoss Web Server 5.8 on RHEL 7 RedHat jws5-tomcat-0:9.0.87-6.redhat_00006.1.el7jws *
Red Hat JBoss Web Server 5.8 on RHEL 8 RedHat jws5-tomcat-0:9.0.87-6.redhat_00006.1.el8jws *
Red Hat JBoss Web Server 5.8 on RHEL 9 RedHat jws5-tomcat-0:9.0.87-6.redhat_00006.1.el9jws *
Red Hat JBoss Web Server 6 RedHat tomcat *
Red Hat JBoss Web Server 6.0 on RHEL 8 RedHat jws6-tomcat-0:10.1.8-15.redhat_00022.1.el8jws *
Red Hat JBoss Web Server 6.0 on RHEL 9 RedHat jws6-tomcat-0:10.1.8-15.redhat_00022.1.el9jws *
Tomcat10 Ubuntu esm-apps/noble *
Tomcat10 Ubuntu noble *
Tomcat10 Ubuntu oracular *
Tomcat6 Ubuntu trusty/esm *
Tomcat7 Ubuntu trusty/esm *
Tomcat9 Ubuntu devel *
Tomcat9 Ubuntu esm-apps/bionic *
Tomcat9 Ubuntu esm-apps/focal *
Tomcat9 Ubuntu esm-apps/jammy *
Tomcat9 Ubuntu esm-apps/noble *
Tomcat9 Ubuntu focal *
Tomcat9 Ubuntu jammy *
Tomcat9 Ubuntu noble *
Tomcat9 Ubuntu oracular *
Tomcat9 Ubuntu plucky *

Potential Mitigations

References