VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-18h1-c684-yydc

Essentials
Severities (42)
References (33)
Severity details (35)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-18h1-c684-yydc
Aliases	CVE-2024-50379 GHSA-5j33-cvvr-w245
Summary	Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Status	Published
Exploitability	2.0
Weighted Severity	8.8
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-367	Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-50379.json
epss	0.88612	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
epss	0.88763	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
epss	0.88888	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
epss	0.88888	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
epss	0.88888	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
epss	0.88888	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
epss	0.89324	https://api.first.org/data/v1/epss?cve=CVE-2024-50379
apache_tomcat	Important	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
cvssv3.1	7	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-5j33-cvvr-w245
cvssv3.1	9.8	https://github.com/apache/tomcat
generic_textual	HIGH	https://github.com/apache/tomcat
cvssv3.1	9.8	https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f
generic_textual	HIGH	https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f
cvssv3.1	9.8	https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00
generic_textual	HIGH	https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00
cvssv3.1	9.8	https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41
generic_textual	HIGH	https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41
cvssv3.1	9.8	https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842
generic_textual	HIGH	https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842
cvssv3.1	9.8	https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2
generic_textual	HIGH	https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2
cvssv3.1	9.8	https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c
generic_textual	HIGH	https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c
cvssv3.1	9.8	https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
generic_textual	HIGH	https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
ssvc	Track	https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2024-50379
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-50379
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20250103-0003
generic_textual	HIGH	https://security.netapp.com/advisory/ntap-20250103-0003
cvssv3.1	9.8	https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
generic_textual	HIGH	https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
cvssv3.1	9.8	https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2
generic_textual	HIGH	https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2
cvssv3.1	9.8	https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
generic_textual	HIGH	https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
cvssv3.1	9.8	http://www.openwall.com/lists/oss-security/2024/12/17/4
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2024/12/17/4
cvssv3.1	9.8	http://www.openwall.com/lists/oss-security/2024/12/18/2
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2024/12/18/2

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-50379.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-50379
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f
		https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00
		https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41
		https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842
		https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2
		https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c
		https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r
		https://nvd.nist.gov/vuln/detail/CVE-2024-50379
		https://security.netapp.com/advisory/ntap-20250103-0003
		https://security.netapp.com/advisory/ntap-20250103-0003/
		https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34
		https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2
		https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98
		http://www.openwall.com/lists/oss-security/2024/12/17/4
		http://www.openwall.com/lists/oss-security/2024/12/18/2
2332817		https://bugzilla.redhat.com/show_bug.cgi?id=2332817
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
CVE-2024-50379		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
GHSA-5j33-cvvr-w245		https://github.com/advisories/GHSA-5j33-cvvr-w245
RHSA-2025:0342		https://access.redhat.com/errata/RHSA-2025:0342
RHSA-2025:0343		https://access.redhat.com/errata/RHSA-2025:0343
RHSA-2025:0361		https://access.redhat.com/errata/RHSA-2025:0361
RHSA-2025:0362		https://access.redhat.com/errata/RHSA-2025:0362
RHSA-2025:1920		https://access.redhat.com/errata/RHSA-2025:1920
RHSA-2025:3645		https://access.redhat.com/errata/RHSA-2025:3645
RHSA-2025:3646		https://access.redhat.com/errata/RHSA-2025:3646
RHSA-2025:3647		https://access.redhat.com/errata/RHSA-2025:3647
RHSA-2025:3683		https://access.redhat.com/errata/RHSA-2025:3683
RHSA-2025:3684		https://access.redhat.com/errata/RHSA-2025:3684

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-50379.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-12-17T16:54:54Z/ Found at https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-50379

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20250103-0003

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2024/12/17/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2024/12/18/2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.99467
EPSS Score	0.88612
Published At	July 13, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:09:44.559483+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json	36.1.3