CVE-2021-24122

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.0.0 through 7.0.106 Apache Tomcat versions 8.5.0 through 8.5.59 Apache Tomcat versions 9.0.0.M1 through 9.0.39 Apache Tomcat versions 10.0.0-M1 through 10.0.0-M9

Description When serving resources from a network location using the NTFS file system, Apache Tomcat was susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behavior of the JRE API File.getCanonicalPath(), which in turn was caused by the inconsistent behavior of the Windows API (FindFirstFileW) in some circumstances.

Recommendations For Apache Tomcat versions 7.0.0 through 7.0.106, update to a version that includes the fix for this issue. For Apache Tomcat versions 8.5.0 through 8.5.59, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.39, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.0.0-M1 through 10.0.0-M9, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to JSP files served from network locations using the NTFS file system until a patch is available.