Apache Tomcat: Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-2024-50379) #shorts

CVE

This recent vulnerability involves a Time-of-check Time-of-use, or TOCTOU, race condition in Apache Tomcat during JSP compilation. It occurs in a non-default setup where the default servlet has write permissions on case insensitive file systems. This condition enables remote code execution, posing a significant risk to Apache Tomcat installations, specifically from versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. While the exact tools or attack profiles are not fully documented, this vulnerability makes affected systems susceptible to unauthorized remote access and potentially severe exploits.

Watch the full video on YouTube: CVE-2024-50379

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

CVE database technical details

CVE ID

CVE-2024-50379

Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Provider

apache

CWE / problem types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Affected Software Versions

Apache Software Foundation:Apache Tomcat:[{'lessThanOrEqual': '11.0.1', 'status': 'affected', 'version': '11.0.0-M1', 'versionType': 'semver'}, {'lessThanOrEqual': '10.1.33', 'status': 'affected', 'version': '10.1.0-M1', 'versionType': 'semver'}, {'lessThanOrEqual': '9.0.97', 'status': 'affected', 'version': '9.0.0.M1', 'versionType': 'semver'}]

Date Published

2024-12-17T12:34:54.827Z

Last Updated

2025-03-20T03:55:50.524Z