CRITICAL · CVSS 9.8
CVE-2024-50379 — Apache Tomcat JSP TOCTOU RCE
A time-of-check / time-of-use race in Tomcat's JSP handling on case-insensitive filesystems could allow RCE via specially-crafted JSP uploads.
Affects
- Tomcat 9.0.0 < 9.0.98 / 10.1.0 < 10.1.34 / 11.0.0 < 11.0.2
What an attacker does
On case-insensitive filesystems (Windows + some macOS setups), an attacker who could upload files to Tomcat's webapp directory exploited a race between JSP compilation and serving, executing arbitrary code.
How to detect
Check Tomcat version + filesystem case-sensitivity.
How to fix
Upgrade Tomcat. On Linux with case-sensitive filesystems, risk is minimal but patch anyway.
How Securie catches it
Securie's Java runtime detector flags vulnerable Tomcat.