Time-of-check Time-of-use (TOCTOU) Race Condition Affecting org.apache.tomcat.embed:tomcat-embed-core package, versions [9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGAPACHETOMCATEMBED-8523186
- published18 Dec 2024
- disclosed17 Dec 2024
- creditNacl, WHOAMI, Yemoli, Ruozhi
Introduced: 17 Dec 2024
NewCVE-2024-50379 (opens in a new tab)How to fix?
Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.
Overview
org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.
This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.
Note:
The default readonly initialization parameter value of true is not vulnerable.