9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-50379

GHSA ID

GHSA-5j33-cvvr-w245

EPSS Score

0.99483%

CWE

CWE-367

Published

12/17/2024

Updated

1/3/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-50379

CVE-2024-50379:
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-50379

GHSA ID

GHSA-5j33-cvvr-w245

EPSS Score

0.99483%

CWE

CWE-367

Published

12/17/2024

Updated

1/3/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat-catalina	maven	>= 11.0.0-M1, < 11.0.2	11.0.2
org.apache.tomcat:tomcat-catalina	maven	>= 10.1.0-M1, < 10.1.34	10.1.34
org.apache.tomcat:tomcat-catalina	maven	>= 9.0.0.M1, < 9.0.98	9.0.98
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 11.0.0-M1, < 11.0.2	11.0.2
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.1.0-M1, < 10.1.34	10.1.34
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0.M1, < 9.0.98	9.0.98

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper synchronization in DirResourceSet's locking mechanism. The commit diff shows missing resourceLocksByPath.put() calls when creating new ResourceLocks, allowing concurrent threads to bypass file state checks. This enabled race conditions where an attacker could replace a checked file (e.g., .jsp) with malicious content before compilation. The case-insensitive filesystem aspect exacerbates this by allowing case-variant file replacement. The patch adds the missing put() operations to ensure lock visibility across threads, directly addressing the TOCTOU gap.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Tim*-o*-****k Tim*-o*-us* (TO*TOU) R*** *on*ition vuln*r**ility *urin* JSP *ompil*tion in *p**** Tom**t p*rmits *n R** on **s* ins*nsitiv* *il* syst*ms w**n t** ****ult s*rvl*t is *n**l** *or writ* (non-****ult *on*i*ur*tion). T*is issu* *****ts *p*

Reasoning

T** vuln*r**ility st*ms *rom improp*r syn**roniz*tion in `*irR*sour**S*t`'s lo*kin* m****nism. T** *ommit *i** s*ows missin* `r*sour**Lo*ks*yP*t*.put()` **lls w**n *r**tin* n*w `R*sour**Lo*ks`, *llowin* *on*urr*nt t*r***s to *yp*ss *il* st*t* ****ks.

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-50379: Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-50379:
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

Vulnerability Intelligence
Miggo AI