The Apache Software Foundation has patched a Tomcat vulnerability CVE-2021-24122 that may lead to information disclosure.
A cyber attacker could exploit this vulnerability to access sensitive information.
Apache described the problem as related to an information disclosure flaw:
“When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.”
Apache Software Foundation
As noted in the Apache advisory, administrators should upgrade to one of the following Tomcat versions:
- Apache Tomcat 10.0.0-M10 or later.
- Apache Tomcat 9.0.40 or later.
- Apache Tomcat 8.5.60 or later.
- Apache Tomcat 7.0.107 or later.
Affected versions include Tomcat 10.0.0-M1- 10.0.0-M9, Tomcat 9.0.0.M1-9.0.39, Tomcat 8.5.0-8.5.59 and Tomcat 7.0.0-7.0.106.