CVE-2021-24122

Name
CVE-2021-24122
Description
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E
Mailing List https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E
Mailing List http://www.openwall.com/lists/oss-security/2021/01/14/1
Mailing List https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E
Mailing List https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E
Mailing List https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E
Third Party Advisory https://security.netapp.com/advisory/ntap-20210212-0008/
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
N/A https://www.oracle.com//security-alerts/cpujul2021.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* tomcat >= 7.0.0 <= 7.0.106
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* tomcat >= 8.5.0 <= 8.5.59
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* tomcat == None == 9.0.0
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* tomcat >= 9.0.1 <= 9.0.39
cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:* tomcat == None == 10.0.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status