Appsecure logo

CVE-2024-50379: Critical Vulnerability in Apache Tomcat

A critical Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat allows remote code execution on case-insensitive file systems. Immediate patching is essential for affected versions.

CRITICALPublic ExploitCVSS 9.8 · Published December 17, 2024

Not a customer? See how AppSecure simulates real world attacks to protect your infrastructure.

Speak to Experts

The vulnerability identified as CVE-2024-50379 is a critical Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that occurs during JSP compilation in Apache Tomcat. This vulnerability allows an attacker to execute remote code on case-insensitive file systems when the default servlet is configured for write access, which is a non-default configuration. The affected versions of Apache Tomcat include 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97.

This issue also affects older versions that were end-of-life (EOL) at the time the CVE was created, specifically from version 8.5.0 through 8.5.100, and potentially other older EOL versions. Given the severity of this vulnerability, organizations using affected versions should prioritize patching to mitigate the risk.

The recommended upgrades to address this vulnerability are to versions 11.0.2, 10.1.34, or 9.0.98, which contain the necessary fixes.

Risk to organizations includes potential unauthorized access and control over affected systems, making immediate action imperative.

As of now, exploitability is confirmed, and the urgency for defenders to act is critical. Organizations should prioritize patching immediately.

Vulnerability Details

The official CVE description states that this vulnerability allows for a race condition during JSP compilation in Apache Tomcat, which can lead to remote code execution on case-insensitive file systems, especially when the default servlet is enabled for write access.

The CVSS score for this vulnerability is 9.8, which classifies it as critical. The high score is justified due to the potential impact on confidentiality, integrity, and availability, as reflected in the CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

The affected products include Apache Tomcat and bootstrap_os from the vendors Apache and NetApp. The publication date of this vulnerability was December 17, 2024.

Technical Analysis

The root cause of this vulnerability stems from a TOCTOU race condition during the JSP compilation process in Apache Tomcat. Attackers may leverage this flaw by exploiting the timing of file operations to gain unauthorized access to the system.

The attack vector is network-based, and the complexity required to exploit this vulnerability is low, meaning it can be executed without advanced skills. No privileges are required for the attacker, and user interaction is not necessary, allowing for potential widespread exploitation.

The impacts of this vulnerability are severe, affecting confidentiality, integrity, and availability, as successful exploitation could allow attackers to execute arbitrary commands on the server.

Risk & Impact Analysis

The deployment risk associated with CVE-2024-50379 is substantial. Organizations using the affected versions of Apache Tomcat are exposed to significant threats, including remote code execution capabilities for attackers. The blast radius potential is considerable, as this could lead to full system compromise.

Given the criticality of this vulnerability, organizations must assess their exposure and take immediate steps to remediate. The urgency is underscored by the CVSS score and the potential for exploitation, which can lead to devastating consequences if not addressed promptly.

Signal

Status

Known Exploit

Yes

Public PoC

Yes

Actively Exploited

No

Ransomware Use

No

Affected Versions

The affected versions of Apache Tomcat include:

• 11.0.0-M1 through 11.0.1 • 10.1.0-M1 through 10.1.33 • 9.0.0.M1 through 9.0.97 • 8.5.0 through 8.5.100 (EOL versions)

Mitigation & Remediation

Organizations using affected versions of Apache Tomcat should upgrade to the following versions to mitigate this vulnerability:

• Upgrade to version 11.0.2 • Upgrade to version 10.1.34 • Upgrade to version 9.0.98

In cases where immediate patching is not feasible, organizations should consider implementing configuration hardening practices to limit exposure.

Organizations should validate remediation through penetration testing to identify similar weaknesses.

Detection Guidance

Organizations should monitor logs for indicators that may suggest exploitation attempts, including unusual JSP compilation activities and unexpected file uploads.

Behavioral anomalies that deviate from normal operations should be investigated promptly.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the importance of secure coding practices and timely patch management in software development.

This incident represents a broader pattern of vulnerabilities arising from race conditions, emphasizing the need for comprehensive testing and validation processes.

Security teams should learn from this incident to implement rigorous security testing methodologies.

For further reading on best practices, security teams may refer to the following resources:

penetration testing methodology and vulnerability management program design to enhance their defensive posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Latest CVEs. Recently published vulnerabilities from the NVD database.

View all vulnerabilities
CVE IDSeverity
CVE-2025-65418HIGH
CVE-2025-65417MEDIUM
CVE-2025-65416MEDIUM
CVE-2025-65415MEDIUM
CVE-2025-61314HIGH

Protect Your Business with Hacker-Focused Approach.