CVE-2021-24122

CWE-200 — Information Exposure CWE-706 — Use of Incorrectly-Resolved Name9 documents8 sources

Severity

5.9MEDIUM

EPSS

52.6%

top 2.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat Apache Tomcat Debian Debian Linux +1 more

Timeline

PublishedJan 14

Latest updateJul 15

Description

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5apache_software_foundation/apache_tomcatApache Tomcat 10 — 10.0.0-M10+3

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core10.0.0-M1 — 10.0.0-M10+3

▶NVDapache/tomcat7.0.0 — 7.0.106+4

▶Debiantomcat9< 9.0.40-1+3

▶NVDoracle/agile_plm9.3.3, 9.3.6+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

Information Disclosure in Apache Tomcat↗2021-05-13

▶

OSV

Information Disclosure in Apache Tomcat↗2021-05-13

▶

OSV

CVE-2021-24122: When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10↗2021-01-14

▶

CVEList

Apache Tomcat information disclosure↗2021-01-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Supply Chain Risk Matrix: Folders, Files & Attachments (Apache Tomcat) — CVE-2021-24122↗2021-07-15

▶

Red Hat

tomcat: Information disclosure when using NTFS file system↗2021-01-14

▶

Debian

CVE-2021-24122: tomcat9 - When serving resources from a network location using the NTFS file system, Apach...↗2021

▶

Apache

Apache tomcat: CVE-2021-24122↗

▶