Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet (TOCTOU)

Description

Severity: Important (Development team), Critical (Snyk)
Link: https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80rhttps://www.cve.org/CVERecord?id=CVE-2024-50379
Package Name: org.apache.tomcat.embed_tomcat-embed-core

Current version: 10.1.33 / fixed in 10.1.34

If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.

To be vulnerable the code must

  • switch readonly parameter from default false to non-default true for the default servlet

  • use a case insensitive file system

Modules impacted:

All Spring Boot based modules

Confluence content

mentioned on

Checklist

hide

Activity

Show:

Julian Ladisch December 19, 2024 at 4:48 PM
Edited

FOLIO deploys modules in Alpine linux, a case sensitive file system. Therefore not vulnerable.

FOLIO doesn’t set readonly to false. Therefore not vulnerable.

This should be closed as rejected because FOLIO is not affected.

Unresolved

Details

Assignee

Reporter

Priority

RCA Group

Related dependency upgrade

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created December 19, 2024 at 4:44 PM
Updated January 2, 2025 at 4:41 PM
Configure
TestRail: Cases
TestRail: Runs