9.8
CRITICAL
CVE-2024-56337
Apache Tomcat CaseInsensitive TOCTOU Race Condition Vulnerability
Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

INFO

Published Date :

Dec. 20, 2024, 4:15 p.m.

Last Modified :

Jan. 3, 2025, 12:15 p.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2024-56337 has a 3 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-56337 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache tomcat
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-56337.

URL Resource
https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp
https://www.cve.org/CVERecord?id=CVE-2024-50379
https://security.netapp.com/advisory/ntap-20250103-0002/

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
SleepingBag945/CVE-2024-50379

tomcat CVE-2024-50379/CVE-2024-56337 条件竞争文件上传exp

Go Makefile

Updated: 1 week, 5 days ago
65 stars 16 fork 16 watcher
Born at : Dec. 23, 2024, 7:20 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
frlc/frlc

None

Updated: 4 weeks ago
0 stars 0 fork 0 watcher
Born at : Dec. 7, 2023, 3:29 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
0xAtef/0xAtef

None

Updated: 4 weeks ago
0 stars 0 fork 0 watcher
Born at : Jan. 14, 2023, 11:38 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-56337 vulnerability anywhere in the article.

  • The Hacker News
Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents

Vulnerability / Incident Response The United States Treasury Department said it suffered a "major cybersecurity incident" that allowed suspected Chinese threat actors to remotely access some computers ... Read more

Published Date: Dec 31, 2024 (3 weeks ago)
CVE-2024-52046 CVE-2024-56337 CVE-2024-12686 CVE-2024-12356
  • The Hacker News
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips

Cybersecurity / Hacking News Every week, the digital world faces new challenges and changes. Hackers are always finding new ways to breach systems, while defenders work hard to keep our data safe. Whe ... Read more

Published Date: Dec 30, 2024 (3 weeks, 1 day ago)
CVE-2024-12856 CVE-2024-3393 CVE-2024-52046 CVE-2024-43441 CVE-2024-45387 CVE-2024-56337 CVE-2024-52324 CVE-2024-48874 CVE-2024-47547 CVE-2019-3568
  • The Hacker News
15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials

Vulnerability / Threat Intelligence A high-severity flaw impacting select Four-Faith routers has come under active exploitation in the wild, according to new findings from VulnCheck. The vulnerability ... Read more

Published Date: Dec 28, 2024 (3 weeks, 3 days ago)
CVE-2024-12856 CVE-2024-56337 CVE-2019-12168
  • The Hacker News
Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia

Cyber Attack / Data Theft The threat actor known as Cloud Atlas has been observed using a previously undocumented malware called VBCloud as part of its cyber attack campaigns targeting "several dozen ... Read more

Published Date: Dec 27, 2024 (3 weeks, 4 days ago)
CVE-2024-56337 CVE-2018-0802 CVE-2017-11882
  • The Hacker News
FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsu ... Read more

Published Date: Dec 27, 2024 (3 weeks, 4 days ago)
CVE-2024-56337 CVE-2024-33112 CVE-2022-37056 CVE-2019-10891 CVE-2015-2051
  • The Hacker News
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

Vulnerability / Software Security The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result ... Read more

Published Date: Dec 27, 2024 (3 weeks, 4 days ago)
CVE-2024-52046 CVE-2024-43441 CVE-2024-45387 CVE-2024-56337 CVE-2024-53677
  • The Hacker News
Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now

Server Security / Vulnerability The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an ... Read more

Published Date: Dec 25, 2024 (3 weeks, 6 days ago)
CVE-2024-43441 CVE-2024-45387 CVE-2024-56337
  • Cybersecurity News
CVE-2024-56334: Command Injection Flaw Exposes Millions of Node.js Systems to Attack

A severe command injection vulnerability (CVE-2024-56334) has been identified in the widely used Node.js system information package, which has over 8 million monthly downloads and a staggering 330 mil ... Read more

Published Date: Dec 24, 2024 (4 weeks, 1 day ago)
CVE-2024-56334 CVE-2024-56337 CVE-2024-12356 CVE-2024-52338 CVE-2024-5921 CVE-2024-50623 CVE-2023-52424
  • Cybersecurity News
CVE-2021-44207: Vulnerability in Acclaim USAHERDS Actively Exploited, CISA Warns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised the alarm on a critical security flaw impacting the Acclaim USAHERDS web application. This vulnerability, officially tracked ... Read more

Published Date: Dec 24, 2024 (4 weeks, 1 day ago)
CVE-2024-56337 CVE-2024-56145 CVE-2024-49775 CVE-2024-53376 CVE-2024-11274 CVE-2024-42448 CVE-2024-42449 CVE-2024-41126 CVE-2024-41125 CVE-2024-5655 ...+3 more CVE
  • security.nl
Kritiek lek in Apache Tomcat maakt remote code execution mogelijk

Een kritieke kwetsbaarheid in Apache Tomcat maakt remote code execution mogelijk. De Apache Foundation kwam vorige week met een beveiligingsupdate, maar die bleek het probleem niet volledig te verhelp ... Read more

Published Date: Dec 23, 2024 (4 weeks, 1 day ago)
CVE-2024-56337 CVE-2024-50379
  • BleepingComputer
Apache fixes remote code execution bypass in Tomcat web server

Apache has released a security update that addresses an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution. Apache Tomcat is an open-source web ... Read more

Published Date: Dec 23, 2024 (4 weeks, 1 day ago)
CVE-2024-56337 CVE-2024-50379
  • Cybersecurity News
CVE-2024-56337: Apache Tomcat Patches Critical RCE Vulnerability

The Apache Software Foundation recently released a critical security update to address a remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2024-56337. This vulnerability af ... Read more

Published Date: Dec 23, 2024 (4 weeks, 2 days ago)
CVE-2024-56337 CVE-2024-54677 CVE-2024-50379 CVE-2024-49112 CVE-2024-52335 CVE-2024-42327 CVE-2024-8811 CVE-2024-47855 CVE-2023-45648 CVE-2023-42795 ...+1 more CVE

The following table lists the changes that have been made to the CVE-2024-56337 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Jan. 03, 2025

    Action Type Old Value New Value
    Added Reference https://security.netapp.com/advisory/ntap-20250103-0002/
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 31, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • New CVE Received by [email protected]

    Dec. 20, 2024

    Action Type Old Value New Value
    Added Description Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
    Added CWE CWE-367
    Added Reference https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp
    Added Reference https://www.cve.org/CVERecord?id=CVE-2024-50379
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-56337 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-56337 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: