Vulnerability Name:

CVE-2021-24122 (CCN-194894)

Assigned:2021-01-14
Published:2021-01-14
Updated:2022-10-24
Summary:When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
8.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
8.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-706
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-24122

Source: CCN
Type: Apache Web site
Apache Tomcat

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure

Source: XF
Type: UNKNOWN
apache-cve202124122-info-disc(194894)

Source: MISC
Type: Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E

Source: MLIST
Type: Mailing List, Vendor Advisory
[announce] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-announce] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomee-dev] 20210115 CVE-2021-24122 NTFS Information Disclosure Bug

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomee-dev] 20210114 Re: Releases?

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-dev] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-users] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-dev] 20210114 svn commit: r1885488 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210316 [SECURITY] [DLA 2596-1] tomcat8 security update

Source: CCN
Type: oss-sec Mailing List, Thu, 14 Jan 2021 14:22:50 +0000
CVE-2021-24122 Apache Tomcat Information Disclosure

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210212-0008/

Source: CCN
Type: IBM Security Bulletin 6410788 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6416019 (WebSphere Cast Iron)
App Connect Professional & IBM WebSphere Cast Iron Solution are affected by Apache Tomcat vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6420375 (Tivoli Application Dependency Discovery Manager)
Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-24122)

Source: CCN
Type: IBM Security Bulletin 6437571 (UrbanCode Deploy)
CVE-2021-24122 When serving resources from a network location using the NTFS file system, Apache Tomcat versions 8.5.0 to 8.5.59 were susceptible to JSP source code disclo

Source: CCN
Type: IBM Security Bulletin 6453463 (Control Center)
Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center

Source: CCN
Type: IBM Security Bulletin 6550770 (UrbanCode Release)
IBM UrbanCode Release is affected by CVE-2021-24122

Source: N/A
Type: Third Party Advisory
N/A

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-2412

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 7.0.0 and <= 7.0.106)
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 8.5.0 and <= 8.5.59)
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 9.0.1 and <= 9.0.39)
  • OR cpe:/a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:8.5.59:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:7.0.106:*:*:*:*:*:*:*
  • AND
  • cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_product_lifecycle_management_framework:9.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_cast_iron:7.5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_cast_iron:7.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_cast_iron:7.5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:7.5.2.0:*:*:*:professional:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:7.5.3.0:*:*:*:professional:*:*:*
  • OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:6.2.7.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.0.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_deploy:7.1.1.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8173
    P
    		Security update for golang-github-vpenso-prometheus_slurm_exporter (Important) (in QA)
    2023-06-12
    oval:org.opensuse.security:def:643
    P
    		Security update for python-paramiko (Important) (in QA)
    2022-09-30
    oval:org.opensuse.security:def:3544
    P
    		libFLAC++6-1.3.0-11.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95174
    P
    		tomcat-9.0.36-150200.22.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:113536
    P
    		tomcat-9.0.36-8.4 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:99432
    P
    		 (Important)
    2021-11-11
    oval:org.opensuse.security:def:106932
    P
    		tomcat-9.0.36-8.4 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:96786
    P
    		tcpdump-4.9.2-3.3.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:102206
    P
    		Security update for libtpms (Important)
    2021-09-09
    oval:org.opensuse.security:def:2329
    P
    		tomcat-9.0.36-3.24.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63418
    P
    		tomcat-9.0.36-3.24.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:101419
    P
    		tomcat-9.0.36-3.24.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:99631
    P
    		 (Important)
    2021-04-30
    oval:org.opensuse.security:def:99936
    P
    		 (Low)
    2021-04-28
    oval:org.opensuse.security:def:41822
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:38331
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:43965
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:39535
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:45380
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:40950
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:46252
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:9483
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:93186
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:91893
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:8732
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:98843
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:92681
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:69822
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:9682
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:92088
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:8927
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:99038
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:92880
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:92283
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:99233
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:93033
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:70373
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:10233
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:92482
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:69623
    P
    		Security update for tomcat (Important)
    2021-04-01
    oval:org.opensuse.security:def:70369
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:10229
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:97355
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:69615
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:9475
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:8725
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:58907
    P
    		Security update for tomcat (Moderate)
    2021-02-25
    oval:org.opensuse.security:def:33084
    P
    		Security update for tomcat (Moderate)
    2021-02-25
    oval:org.opensuse.security:def:87548
    P
    		Security update for tomcat (Moderate)
    2021-02-25
    oval:org.opensuse.security:def:111231
    P
    		Security update for tomcat (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:109494
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:67034
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:94007
    P
    		 (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:76102
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:102828
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:118590
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:5945
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:95493
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:97226
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:69262
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:94218
    P
    		 (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:100374
    P
    		 (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:60456
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:96138
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:94429
    P
    		 (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:100708
    P
    		 (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:34633
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:108872
    P
    		Security update for tomcat (Moderate)
    2021-02-19
    oval:org.opensuse.security:def:93792
    P
    		 (Moderate)
    2021-02-19
    BACK
    apache tomcat 9.0.0 milestone1
    apache tomcat 9.0.0 milestone10
    apache tomcat 9.0.0 milestone11
    apache tomcat 9.0.0 milestone12
    apache tomcat 9.0.0 milestone13
    apache tomcat 9.0.0 milestone14
    apache tomcat 9.0.0 milestone15
    apache tomcat 9.0.0 milestone16
    apache tomcat 9.0.0 milestone17
    apache tomcat 9.0.0 milestone18
    apache tomcat 9.0.0 milestone19
    apache tomcat 9.0.0 milestone2
    apache tomcat 9.0.0 milestone20
    apache tomcat 9.0.0 milestone21
    apache tomcat 9.0.0 milestone22
    apache tomcat 9.0.0 milestone23
    apache tomcat 9.0.0 milestone24
    apache tomcat 9.0.0 milestone25
    apache tomcat 9.0.0 milestone26
    apache tomcat 9.0.0 milestone27
    apache tomcat 9.0.0 milestone3
    apache tomcat 9.0.0 milestone4
    apache tomcat 9.0.0 milestone5
    apache tomcat 9.0.0 milestone6
    apache tomcat 9.0.0 milestone7
    apache tomcat 9.0.0 milestone8
    apache tomcat 9.0.0 milestone9
    apache tomcat *
    apache tomcat *
    apache tomcat *
    apache tomcat 10.0.0 milestone1
    apache tomcat 10.0.0 milestone2
    apache tomcat 10.0.0 milestone3
    apache tomcat 10.0.0 milestone4
    apache tomcat 10.0.0 milestone5
    apache tomcat 10.0.0 milestone6
    apache tomcat 10.0.0 milestone7
    apache tomcat 10.0.0 milestone8
    apache tomcat 10.0.0 milestone9
    debian debian linux 9.0
    oracle agile plm 9.3.3
    oracle agile plm 9.3.6
    apache tomcat 7.0.0
    apache tomcat 9.0.0 m1
    apache tomcat 8.5.0
    apache tomcat 8.5.59
    apache tomcat 9.0.39
    apache tomcat 7.0.106
    oracle agile plm framework 9.3.6
    oracle agile product lifecycle management framework 9.3.3
    ibm websphere cast iron 7.5.0.0
    ibm websphere cast iron 7.5.0.1
    ibm websphere cast iron 7.5.1.0
    ibm app connect 7.5.2.0
    ibm urbancode deploy 6.2.7.3
    ibm app connect 7.5.3.0
    ibm tivoli application dependency discovery manager 7.3.0.0
    ibm urbancode deploy 7.0.3.0
    ibm urbancode deploy 7.0.4.0
    ibm data risk manager 2.0.6
    ibm urbancode deploy 6.2.7.4
    ibm urbancode deploy 6.2.7.8
    ibm urbancode deploy 7.0.5.3
    ibm urbancode deploy 7.1.1.0
    ibm control center 6.2.0.0
    ibm urbancode deploy 7.0.5.4
    ibm urbancode deploy 7.1.1.1
    ibm urbancode deploy 7.1.1.2