Español
English
Deutsch
A critical severity vulnerability has been discovered in Apache Tomcat that could allow remote code execution.
Analysis
The critical severity vulnerability could allow remote code execution (RCE) if the default servlet is enabled for writing (the readonly parameter is initially set to false, which is not its default value) on a file system that is not case-sensitive. Simultaneous reading and uploading of the same file could bypass Tomcat's case-sensitivity checks and cause the uploaded file to be treated as a JSP, enabling remote code execution.
This critical vulnerability has been assigned the code CVE-2024-50379.Affected Versions
Apache Tomcat versions:
- from 11.0.0-M1 to 11.0.1;
- from 10.1.0-M1 to 10.1.33;
- from 9.0.0.M1 to 9.0.97.
Recommendations
Update to the following versions of Apache Tomcat:
- 11.0.2 or later.
- 10.1.34 or later.
- 9.0.98 or later.
References
- https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80rHispasec Una-al-día.
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34