Nacl, WHOAMI, Yemoli and Ruozhi have discovered a critical severity vulnerability (CVE-2024-50379) in Apache Tomcat that could allow remote code execution (RCE) if the default servlet is write-enabled for a case-insensitive file system.
A simultaneous read and upload of the same file could bypass Tomcat’s case-sensitive checks and cause the uploaded file to be treated as a JSP, allowing remote code execution.
To fix this vulnerability update to the following versions: 11.0.2, 10.1.34, 9.0.98, or any later version.
If you want to know more details, you can consult the corresponding advisory at the following link.
For more warnings, please follow the Incibe website.