CVE-2024-50379

Apache Tomcat: RCE due to TOCTOU issue in JSP compilation

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

A flaw was found in Tomcat. A Time-of-check Time-of-use (TOCTOU) race condition occurs during JSP compilation on case-insensitive file systems when the default servlet is enabled for writing. This vulnerability allows an uploaded file to be treated as a JSP and executed, resulting in remote code execution.

It was discovered that Tomcat did not correctly handle case sensitivity. An attacker could possibly use this issue to bypass authentication mechanisms. Elysee Franchuk discovered that Tomcat did not correctly limit the number of attributes for a session. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 24.04 LTS.

*Credits: Nacl, WHOAMI, Yemoli and Ruozhi

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-10-23 CVE Reserved
2024-12-17 CVE Published
2024-12-20 First Exploit
2025-08-08 CVE Updated
2025-08-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CAPEC

References (24)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/12/17/4

URL	Date	SRC
https://github.com/yiliufeng168/CVE-2024-50379-POC	2024-12-20
https://github.com/JFOZ1010/Nuclei-Template-CVE-2024-50379	2024-12-20
https://github.com/iSee857/CVE-2024-50379-PoC	2024-12-21
https://github.com/Alchemist3dot14/CVE-2024-50379	2024-12-20
https://github.com/ph0ebus/Tomcat-CVE-2024-50379-Poc	2024-12-23
https://github.com/SleepingBag945/CVE-2024-50379	2024-12-23
https://github.com/v3153/CVE-2024-50379-POC	2024-12-26
https://github.com/dear-cell/CVE-2024-50379	2024-12-23
https://github.com/lizhianyuguangming/CVE-2024-50379-exp	2024-12-28
https://github.com/dragonked2/CVE-2024-50379-POC	2024-12-25
https://github.com/bigb0x/CVE-2024-50379	2024-12-26
https://github.com/pwnosec/CVE-2024-50379	2025-01-25
https://github.com/dkstar11q/CVE-2024-50379-nuclei	2024-12-26
https://github.com/paltrybelly/CVE-2024-50379	2025-02-26
https://github.com/shoddykilom/CVE-2024-50379	2025-03-03
https://github.com/carefreegarb/CVE-2024-50379	2025-03-25
https://github.com/thunww/CVE-2024-50379	2025-03-30
https://github.com/gomtaengi/CVE-2024-50379-exp	2024-12-28
https://github.com/Yuri08loveElaina/CVE-2024-50379-POC	2025-06-14
https://github.com/Yuri08loveElaina/CVE-2024-50379	2025-06-14

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r	2024-12-17
https://access.redhat.com/security/cve/CVE-2024-50379	2025-04-08
https://bugzilla.redhat.com/show_bug.cgi?id=2332817	2025-04-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 11.0.0-M1 <= 11.0.1 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.1"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 10.1.0-M1 <= 10.1.33 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.33"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 9.0.0.M1 <= 9.0.97 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.0.M1 <= 9.0.97"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 8.5.0 <= 8.5.100 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 8.5.0 <= 8.5.100"		en		Affected