CVE-2021-24122
Description
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
Risk Information
Base Score
5.9
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
53.943
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-17527,CVE-2021-24122 are fixed in 17 November 2020 Fixed in Apache Tomcat 10.0.0-M10 | Windows |
| Vulnerabilities CVE-2020-17527,CVE-2021-24122 are fixed in 17 November 2020 Fixed in Apache Tomcat 9.0.40 | Windows |
| Vulnerabilities CVE-2021-24122 are fixed in 11 November 2020 Fixed in Apache Tomcat 7.0.107 | Windows |
| Vulnerabilities CVE-2020-17527,CVE-2021-24122 are fixed in 17 November 2020 Fixed in Apache Tomcat 8.5.60 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.4.0 | Windows |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core 10.0.0 | Windows |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core 9.0.40 | Windows |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core 8.5.60 | Windows |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core 7.0.107 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.9 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.5.4 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.1.1 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.5.3 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.1.0 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.1.2 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.8 | Windows |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-admin-webapps-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-docs-webapp-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-el-3_0-api-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-javadoc-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-jsp-2_3-api-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-lib-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-servlet-4_0-api-9.0.36-3.61.1.noarch.rpm | Linux |
| SUSE-SU-2021:0530-1(SUSE Linux Enterprise Server 12-SP5 ) tomcat-webapps-9.0.36-3.61.1.noarch.rpm | Linux |
| Vulnerabilities CVE-2020-17527,CVE-2021-24122 are fixed in 17 November 2020 Fixed in Apache Tomcat 10.0.0-M10 (For Linux) | Linux |
| Vulnerabilities CVE-2020-17527,CVE-2021-24122 are fixed in 17 November 2020 Fixed in Apache Tomcat 9.0.40 (For Linux) | Linux |
| Vulnerabilities CVE-2021-24122 are fixed in 11 November 2020 Fixed in Apache Tomcat 7.0.107 (For Linux) | Linux |
| Vulnerabilities CVE-2020-17527,CVE-2021-24122 are fixed in 17 November 2020 Fixed in Apache Tomcat 8.5.60 (For Linux) | Linux |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core for Linux 10.0.0 | Linux |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core for Linux 9.0.40 | Linux |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core for Linux 8.5.60 | Linux |
| Vulnerabilities CVE-2021-24122 are fixed in Apache - tomcat-embed-core for Linux 7.0.107 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234