CVE-2021-24122
Summary
| CVE | CVE-2021-24122 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-01-14 15:15:00 UTC |
| Updated | 2023-11-07 03:31:00 UTC |
| Description | When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. |
Risk And Classification
Problem Types: CWE-706
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.3 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.6 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [tomcat-dev] 20210114 svn commit: r1885488 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| [tomcat-dev] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MISC | lists.apache.org | Mailing List, Vendor Advisory |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| [tomcat-users] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure | lists.apache.org | ||
| [tomee-dev] 20210115 CVE-2021-24122 NTFS Information Disclosure Bug | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| [SECURITY] [DLA 2596-1] tomcat8 security update | MLIST | lists.debian.org | |
| [announce] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure | lists.apache.org | ||
| [tomee-dev] 20210114 Re: Releases? | lists.apache.org | ||
| oss-security - [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure | MLIST | www.openwall.com | Mailing List, Third Party Advisory |
| CVE-2021-24122 Apache Tomcat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This issue was identified by Ilja Brander.
Legacy QID Mappings
- 150533 Apache Tomcat Information Disclosure Vulnerability (CVE-2021-24122)
- 174906 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:0989-1)
- 174912 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:1009-1)
- 178492 Debian Security Update for tomcat8 (DLA 2596-1)
- 179896 Debian Security Update for tomcat9 (CVE-2021-24122)
- 239735 Red Hat Update for red hat jboss web server 5.4.1 (RHSA-2021:0494)
- 356178 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-010
- 670219 EulerOS Security Update for tomcat (EulerOS-SA-2021-1856)
- 670309 EulerOS Security Update for tomcat (EulerOS-SA-2021-1915)
- 670677 EulerOS Security Update for tomcat (EulerOS-SA-2021-2435)
- 750350 OpenSUSE Security Update for tomcat (openSUSE-SU-2021:0330-1)
- 982594 Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-2rvv-w9r2-rg7m)