CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation

Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.

Classification

CVE ID: CVE-2024-50379

Affected Products

Vendor: Apache Software Foundation

Product: Apache Tomcat

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r

Timeline

2024-12-18 00:30:36 UTC
CVE

Apache Tomcat: RCE due to TOCTOU issue in JSP compilation
2024-12-18 15:15:25 UTC
Github Advisory Database (Maven)

[org.apache.tomcat:tomcat-catalina] Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
2025-03-06 09:45:23 UTC
Tenable Plugins

Linux Distros Unpatched Vulnerability : CVE-2024-50379
2025-04-14 06:00:43 UTC
Tenable Plugins

RHEL 8 : tomcat (RHSA-2025:3683)
2025-04-14 06:00:44 UTC
Tenable Plugins

RHEL 9 : tomcat (RHSA-2025:3646)
2025-04-14 06:00:46 UTC
Tenable Plugins

RHEL 9 : tomcat (RHSA-2025:3647)
2025-04-14 06:00:47 UTC
Tenable Plugins

RHEL 8 : tomcat (RHSA-2025:3684)