Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete
Description
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tomcat contains a TOCTOU race condition in the default servlet on case-insensitive file systems, allowing potential file upload bypass; incomplete fix for CVE-2024-50379.
Vulnerability
Overview
CVE-2024-56337 is a Time-of-Check Time-of-Use (TOCTOU) race condition in Apache Tomcat's default servlet. The issue arises when the default servlet is configured with write enabled (the readonly initialization parameter set to false) on a case-insensitive file system. The mitigation applied for the earlier CVE-2024-50379 was incomplete, leaving a window for race conditions that could be exploited [1][2][3][4].
Exploitation
Conditions
Exploitation requires the default servlet to have write access enabled on a case-insensitive file system. An attacker with the ability to upload files can attempt to exploit the race condition to bypass file access checks. The vulnerability's exploitability depends on the Java version in use: on Java 8 or Java 11, the system property sun.io.useCanonCaches defaults to true and must be explicitly set to false; on Java 17, the property defaults to false but must still be set if overridden; on Java 21 and later, the property and the problematic cache have been removed, so no additional configuration is needed [4].
Impact
Successful exploitation could allow an attacker to upload or overwrite files in a manner that bypasses security checks, potentially leading to arbitrary code execution or unauthorized data modification. The race condition may enable an attacker to write a file that is later executed or served by the server, depending on the application's configuration [1][2][3].
Mitigation
Users should upgrade to Apache Tomcat 11.0.3, 10.1.35, or 9.0.99 or later, which include checks to ensure sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write-enabled on a case-insensitive file system. These versions also set the property to false by default where possible. For users unable to upgrade, setting sun.io.useCanonCaches=false on Java 8 or Java 11, and ensuring the default servlet's readonly parameter is true (the default) unless write access is explicitly required, provides a workaround [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.2 | 11.0.2 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.34 | 10.1.34 |
org.apache.tomcat:tomcat-embed-coreMaven | >= 9.0.0.M1, < 9.0.98 | 9.0.98 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.2 | 11.0.2 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.34 | 10.1.34 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0.M1, < 9.0.98 | 9.0.98 |
Affected products
57- osv-coords55 versionspkg:apk/chainguard/camunda-zeebepkg:apk/chainguard/camunda-zeebe-compatpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcat-catalinapkg:maven/org.apache.tomcat/tomcat-embed-corepkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat9pkg:rpm/almalinux/tomcat9-admin-webappspkg:rpm/almalinux/tomcat9-docs-webapppkg:rpm/almalinux/tomcat9-el-3.0-apipkg:rpm/almalinux/tomcat9-jsp-2.3-apipkg:rpm/almalinux/tomcat9-libpkg:rpm/almalinux/tomcat9-servlet-4.0-apipkg:rpm/almalinux/tomcat9-webappspkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
< 8.6.6-r2+ 54 more
- (no CPE)range: < 8.6.6-r2
- (no CPE)range: < 8.6.6-r2
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 3.9-r1
- (no CPE)range: < 9.0.98
- (no CPE)range: >= 11.0.0-M1, < 11.0.2
- (no CPE)range: >= 11.0.0-M1, < 11.0.2
- (no CPE)range: >= 9.0.0.M1, < 9.0.98
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-5.el10_0.1
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 1:9.0.87-1.el8_10.4
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.35-1.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.99-1.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 10.1.34-150200.5.31.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- (no CPE)range: < 9.0.98-150200.74.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-27hp-xhwr-wr2mghsaADVISORY
- lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbpghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-56337ghsaADVISORY
- lists.debian.org/debian-lts-announce/2025/01/msg00009.htmlghsaWEB
- security.netapp.com/advisory/ntap-20250103-0002ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.cve.org/CVERecordghsavdb-entryWEB
News mentions
0No linked articles in our index yet.