{"schema_version":"1.7.2","id":"OESA-2024-2564","modified":"2025-08-13T07:23:00Z","published":"2024-12-20T01:42:52Z","upstream":["CVE-2024-50379","CVE-2024-54677"],"summary":"tomcat security update","details":"The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project\r\n\r\nSecurity Fix(es):\r\n\r\nTime-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).  This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.  Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.(CVE-2024-50379)\r\n\r\nUncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.  This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.  Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.(CVE-2024-54677)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.96-4.oe2203sp3"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.96-4.oe2203sp3.noarch.rpm","tomcat-help-9.0.96-4.oe2203sp3.noarch.rpm","tomcat-jsvc-9.0.96-4.oe2203sp3.noarch.rpm"],"src":["tomcat-9.0.96-4.oe2203sp3.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.96-4.oe2003sp4"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.96-4.oe2003sp4.noarch.rpm","tomcat-help-9.0.96-4.oe2003sp4.noarch.rpm","tomcat-jsvc-9.0.96-4.oe2003sp4.noarch.rpm"],"src":["tomcat-9.0.96-4.oe2003sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.96-4.oe2203sp1"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.96-4.oe2203sp1.noarch.rpm","tomcat-help-9.0.96-4.oe2203sp1.noarch.rpm","tomcat-jsvc-9.0.96-4.oe2203sp1.noarch.rpm"],"src":["tomcat-9.0.96-4.oe2203sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.96-4.oe2403"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.96-4.oe2403.noarch.rpm","tomcat-help-9.0.96-4.oe2403.noarch.rpm","tomcat-jsvc-9.0.96-4.oe2403.noarch.rpm"],"src":["tomcat-9.0.96-4.oe2403.src.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.96-4.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.96-4.oe2203sp4.noarch.rpm","tomcat-help-9.0.96-4.oe2203sp4.noarch.rpm","tomcat-jsvc-9.0.96-4.oe2203sp4.noarch.rpm"],"src":["tomcat-9.0.96-4.oe2203sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2564"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50379"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54677"}],"database_specific":{"severity":"Critical"}}