CVE-2021-24122

MEDIUM

Apache Tomcat 7.0.0-7.0.106, 8.5.0-8.5.59, 9.0.0.M1-9.0.39, 10.0.0-M1-10.0.0-M9 - JSP Source Code Disclosure

Title source: llm
STIX 2.1

Description

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

References (11)

Core 11
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/01/14/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210212-0008/

Scores

CVSS v3 5.9
EPSS 0.2285
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-706
Status published
Products (7)
apache/tomcat 9.0.0 milestone1 (27 CPE variants)
apache/tomcat 10.0.0 milestone1 (9 CPE variants)
apache/tomcat 7.0.0 - 7.0.106
debian/debian_linux 9.0
oracle/agile_plm 9.3.3
oracle/agile_plm 9.3.6
org.apache.tomcat.embed/tomcat-embed-core 10.0.0-M1 - 10.0.0-M10Maven
Published Jan 14, 2021
Tracked Since Feb 18, 2026