Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
High severity
GitHub Reviewed
Published
Dec 17, 2024
to the GitHub Advisory Database
•
Updated Dec 18, 2024
Package
Affected versions
>= 11.0.0-M1, < 11.0.2
>= 10.1.0-M1, < 10.1.34
>= 9.0.0.M1, < 9.0.98
Patched versions
11.0.2
10.1.34
9.0.98
Description
Published by the National Vulnerability Database
Dec 17, 2024
Published to the GitHub Advisory Database
Dec 17, 2024
Reviewed
Dec 17, 2024
Last updated
Dec 18, 2024
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
References