vulnerability
Ubuntu: USN-7705-1 (CVE-2024-50379): Tomcat vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Dec 17, 2024 | Jun 26, 2025 | Aug 21, 2025 |
Description
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Solutions
References
- CVE-2024-50379
- https://attackerkb.com/topics/CVE-2024-50379
- CWE-367
- UBUNTU-USN-7705-1
- URL-http://www.openwall.com/lists/oss-security/2024/12/17/4
- URL-https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f
- URL-https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00
- URL-https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41
- URL-https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2
- URL-https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
- URL-https://www.cve.org/CVERecord?id=CVE-2024-50379
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.