The vulnerability, tracked as CVE-2024-56337, represents an incomplete mitigation of a previous critical security flaw, CVE-2024-50379, with high potential for remote code execution.
Apache noted that concurrent read and upload under load could bypass Tomcat's case sensitivity checks, causing a file upload to be treated as a JSP, leading to remote code execution.
Users running Tomcat on a case insensitive file system need additional configuration to fully mitigate the critical vulnerabilities, depending on the version of Java they're using.
CVE-2024-56337 requires users to adjust system property settings, emphasizing the need for careful attention to security configurations across different Java versions.
Collection
[
|
...
]