CVE-2021-24122 — MEDIUM (5.9)

Q: How severe is CVE-2021-24122?

CVE-2021-24122 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-24122?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Agile Plm.

Vulnerability Description

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 7.0.0, <= 7.0.106
Debian	Debian Linux	9.0
Oracle	Agile Plm	9.3.3

Related Weaknesses (CWE)

CWE-706 CWE-200

References

http://www.openwall.com/lists/oss-security/2021/01/14/1Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b08302226
https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b08302226Mailing ListVendor Advisory
https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b08302226Mailing ListVendor Advisory
https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034
https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045
https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d6
https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0
https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20210212-0008/Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2021/01/14/1Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b08302226
https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b08302226Mailing ListVendor Advisory

FAQ

What is CVE-2021-24122?

CVE-2021-24122 is a vulnerability with a CVSS score of 5.9 (MEDIUM). When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to J...

How severe is CVE-2021-24122?

CVE-2021-24122 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24122?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Agile Plm.