Vulnerability Description
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | >= 9.0.0, < 9.0.98 |
| Netapp | Bootstrap Os | - |
| Netapp | Hci Compute Node | - |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80rMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2024/12/17/4Mailing List
- http://www.openwall.com/lists/oss-security/2024/12/18/2Mailing List
- https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
- https://security.netapp.com/advisory/ntap-20250103-0003/Third Party Advisory
FAQ
What is CVE-2024-50379?
CVE-2024-50379 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (n...
How severe is CVE-2024-50379?
CVE-2024-50379 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-50379?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Netapp Bootstrap Os, Netapp Hci Compute Node.