CVE-2024-56337

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-56337

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56337.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-56337

Aliases

Related

Published

2024-12-20T16:15:24Z

Modified

2025-01-17T18:49:43.463370Z

Summary

[none]

Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

The mitigation for CVE-2024-50379 was incomplete.

Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

References

Affected packages

Debian:12 / tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.34-0+deb12u1

Affected versions

10.*

10.1.6-1

10.1.6-1+deb12u1

10.1.6-1+deb12u2

10.1.7-1

10.1.8-1

10.1.9-1

10.1.10-1

10.1.13-1

10.1.14-1

10.1.15-1

10.1.16-1

10.1.20-1

10.1.23-1

10.1.25-1~bpo12+1

10.1.25-1

10.1.25-2

10.1.30-1~bpo12+1

10.1.30-1

10.1.31-1

10.1.33-1~bpo12+1

10.1.33-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.34-1

Affected versions

10.*

10.1.6-1

10.1.7-1

10.1.8-1

10.1.9-1

10.1.10-1

10.1.13-1

10.1.14-1

10.1.15-1

10.1.16-1

10.1.20-1

10.1.23-1

10.1.25-1~bpo12+1

10.1.25-1

10.1.25-2

10.1.30-1~bpo12+1

10.1.30-1

10.1.31-1

10.1.33-1~bpo12+1

10.1.33-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.43-2~deb11u11

Affected versions

9.*

9.0.43-1

9.0.43-2~deb11u1

9.0.43-2~deb11u2

9.0.43-2~deb11u3

9.0.43-2~deb11u4

9.0.43-2~deb11u5

9.0.43-2~deb11u6

9.0.43-2~deb11u7

9.0.43-2~deb11u8

9.0.43-2~deb11u9

9.0.43-2~deb11u10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}