CVE-2024-56337 [Critical]

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	12.86%	8.71%	-4.15%
2	2026-06-05	13.16%	12.86%	-0.30%
3	2026-05-23	—	13.16%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

12.86%

8.71%

-4.15%

2026-06-05

13.16%

12.86%

-0.30%

2026-05-23

—

13.16%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2024-56337

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2024-56337 not yet assigned priority: Debian including 2 source packages (tomcat10, tomcat9), 9 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 9.	https://security-tracker.debian.org/tracker/CVE-2024-56337
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2024-56337
`suse`	high	—	https://www.suse.com/security/cve/CVE-2024-56337/
`ubuntu`	medium	CVE-2024-56337 medium priority: Ubuntu including 6 source packages (tomcat10, tomcat11, tomcat6, tomcat7, tomcat8, tomcat9), 51 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 26, needs-triage 7, ignored 5, needed 5, not-affected 5, released 3.	https://ubuntu.com/security/CVE-2024-56337

Affected software / configurations for CVE-2024-56337

Vendor	Product	Version	Raw CPE
apache	tomcat	>= 9.0.0, < 9.0.98	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 10.1.0, < 10.1.34	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 11.0.0, < 11.0.2	cpe:2.3:a:apache:tomcat::::::::
netapp	bootstrap_os	—	cpe:2.3:o:netapp:bootstrap_os:-:::::::*

References for CVE-2024-56337

URL	Tags
https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp	Mailing List Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2024-50379	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
https://security.netapp.com/advisory/ntap-20250103-0002/	Third Party Advisory

URL

CVE-2024-56337 | Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete

Exploit prediction scoring system (EPSS) score for CVE-2024-56337

Common vulnerability scoring system (CVSS) metrics for CVE-2024-56337

Weakness enumeration for CVE-2024-56337

GitHub Security Advisory for CVE-2024-56337

OS Trackers for CVE-2024-56337

Affected software / configurations for CVE-2024-56337

References for CVE-2024-56337