-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper synchronization in DirResourceSet's locking mechanism. The commit diff shows missing resourceLocksByPath.put() calls when creating new ResourceLocks, allowing concurrent threads to bypass file state checks. This enabled race conditions where an attacker could replace a checked file (e.g., .jsp) with malicious content before compilation. The case-insensitive filesystem aspect exacerbates this by allowing case-variant file replacement. The patch adds the missing put() operations to ensure lock visibility across threads, directly addressing the TOCTOU gap.
JavaJavaOngoing coverage of React2Shell
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.tomcat:tomcat-catalina | maven | >= 11.0.0-M1, < 11.0.2 | 11.0.2 |
| org.apache.tomcat:tomcat-catalina | maven | >= 10.1.0-M1, < 10.1.34 | 10.1.34 |
| org.apache.tomcat:tomcat-catalina | maven | >= 9.0.0.M1, < 9.0.98 | 9.0.98 |
| org.apache.tomcat.embed:tomcat-embed-core | maven | >= 11.0.0-M1, < 11.0.2 | 11.0.2 |
| org.apache.tomcat.embed:tomcat-embed-core | maven | >= 10.1.0-M1, < 10.1.34 | 10.1.34 |
| org.apache.tomcat.embed:tomcat-embed-core | maven | >= 9.0.0.M1, < 9.0.98 | 9.0.98 |