Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

GHSA-5j33-cvvr-w245 · BIT-tomcat-2024-50379 · CVE-2024-50379

Published Dec 17, 2024 · Modified Feb 4, 2026

Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

References

9.8 / 10

CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.34, 11.0.2, 9.0.98

Introduced 10.1.0-M1, 11.0.0-M1, 8.5.0, 9.0.0.M1

252 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +232 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.34, 11.0.2, 9.0.98

Introduced 10.1.0-M1, 11.0.0-M1, 8.5.0, 9.0.0.M1

252 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +232 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes