Ilja Brander

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 7.0.0 through 7.0.106 Apache Tomcat versions 8.5.0 through 8.5.59 Apache Tomcat versions 9.0.0.M1 through 9.0.39 Apache Tomcat versions 10.0.0-M1 through 10.0.0-M9 **Description** When serving resources from a network location using the NTFS file system, Apache Tomcat was susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behavior of the JRE API `File.getCanonicalPath()`, which in turn was caused by the inconsistent behavior of the Windows API `(FindFirstFileW)` in some circumstances. **Recommendations** For Apache Tomcat versions 7.0.0 through 7.0.106, update to a version that includes the fix for this issue. For Apache Tomcat versions 8.5.0 through 8.5.59, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.39, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.0.0-M1 through 10.0.0-M9, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to JSP files served from network locations using the NTFS file system until a patch is available.