CVE & CISA-KEV Catalog

CVE-2024-56337

CRITICALEPSS 95th pctl
9.8
CVSS v3
NVD

Description

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

How to fix

Remediation Available
tomcat10Debian
Fixed in:10.1.34-0+deb12u1CVE-2024-56337
Fixed in:10.1.34-1CVE-2024-56337
Fixed in:10.1.34-1CVE-2024-56337
jws5-tomcatRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcatRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-admin-webappsRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-admin-webappsRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-docs-webappRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-docs-webappRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-el-3.0-apiRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-el-3.0-apiRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-java-jdk11Red Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
jws5-tomcat-java-jdk11Rocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
jws5-tomcat-java-jdk8Rocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
jws5-tomcat-java-jdk8Red Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
jws5-tomcat-javadocRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-javadocRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-jsp-2.3-apiRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-jsp-2.3-apiRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-libRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-libRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-selinuxRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-selinuxRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-servlet-4.0-apiRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-servlet-4.0-apiRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-webappsRocky
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
jws5-tomcat-webappsRed Hat / RHEL
Fixed in:0:9.0.87-11.redhat_00010.1.el7jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el8jwsRHSA-2025:4521
Fixed in:0:9.0.87-11.redhat_00010.1.el9jwsRHSA-2025:4521
tomcatRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcatRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat-admin-webappsRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
tomcat-admin-webappsRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcat-docs-webappRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat-docs-webappRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat-el-3.0-apiRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat-el-3.0-apiRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcat-jsp-2.3-apiRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat-jsp-2.3-apiRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcat-libRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcat-libRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
tomcat-servlet-4.0-apiRocky
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcat-servlet-4.0-apiRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat-webappsRocky
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
tomcat-webappsRed Hat / RHEL
Fixed in:1:9.0.87-1.el8_10.4RHSA-2025:11333
Fixed in:1:9.0.87-1.el8_8.5RHSA-2025:11382
Fixed in:1:9.0.87-1.el9_2.4RHSA-2025:11381
Fixed in:1:9.0.87-3.el9_6.1RHSA-2025:11335
Fixed in:1:9.0.87-1.el9_4.4RHSA-2025:11334
tomcat9Red Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9Rocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-admin-webappsRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-admin-webappsRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-docs-webappRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-docs-webappRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-el-3.0-apiRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-el-3.0-apiRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-jsp-2.3-apiRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-jsp-2.3-apiRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-libRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-libRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-servlet-4.0-apiRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-servlet-4.0-apiRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-webappsRed Hat / RHEL
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332
tomcat9-webappsRocky
Fixed in:1:9.0.87-5.el10_0.1RHSA-2025:11332

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

8.86%probability of exploitation in 30 days
95thpercentile

High risk: more likely to be exploited than 95% of all known CVEs.

References

Vendor Advisory1
Third-Party Advisory2
Other references1
Embed a live status badge for CVE-2024-56337
CVE-2024-56337 severity badge

Markdown

[![CVE-2024-56337](https://tridentstack.com/cve/badge/CVE-2024-56337.svg)](https://tridentstack.com/cve/CVE-2024-56337)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-56337"><img src="https://tridentstack.com/cve/badge/CVE-2024-56337.svg" alt="CVE-2024-56337"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-11-03.