Cyber Resilience

CVE-2024-56337

Critical

Published: 20 December 2024

Published
20 December 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1286 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56337 is a critical-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Apache Tomcat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-56337 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat that stems from an incomplete fix for the related CVE-2024-50379. It affects Tomcat versions 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97, as well as end-of-life releases from 8.5.0 through 8.5.100. The flaw manifests when Tomcat runs on a case-insensitive file system with the default servlet configured for write access by setting the readonly initialization parameter to false.

Remote attackers without authentication can exploit the race condition to achieve arbitrary file writes or other impacts that lead to full confidentiality, integrity, and availability compromise, reflected in the CVSS 9.8 score. Exploitation requires specific environmental conditions around file-system case sensitivity and servlet write permissions, but no user interaction is needed once those are met.

Advisories recommend upgrading to Tomcat 11.0.3, 10.1.35, or 9.0.99 and later, which add runtime checks for the sun.io.useCanonCaches system property and set it to false by default where possible. On Java 8 or 11, the property must be explicitly disabled; on Java 17 it must remain unset or false; and on Java 21 and newer no additional action is required because the problematic cache was removed.

The EPSS score rose from a low baseline to a peak of 0.4819 before receding to the current value of 0.1286, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are…

more

known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
9.0.0 — 9.0.98 · 10.1.0 — 10.1.34 · 11.0.0 — 11.0.2
netapp
bootstrap os
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-367

Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.

References