Homepage

org.apache.tomcat:tomcat-catalina@10.1.33 vulnerabilities

  • latest version

    11.0.2

  • latest non vulnerable version

    11.0.2

  • first published

    14 years ago

  • latest version published

    17 days ago

  • licenses detected

  • package manager

    View on Maven Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Time-of-check Time-of-use (TOCTOU) Race Condition

    org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

    Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

    In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

    1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

    2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

    3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

    How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

    Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

    [9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
    • C
    Time-of-check Time-of-use (TOCTOU) Race Condition

    org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

    Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

    This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

    Note:

    The default readonly initialization parameter value of true is not vulnerable.

    This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

    In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

    1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

    2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

    3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

    How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

    Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

    [9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
    Go back to all versions of this package