What is CVE-2021-24122?

CVE-2021-24122 is a vulnerability in Apache Software Foundation Tomcat, classified under Information Disclosure. Published 2021-01-14.

Is CVE-2021-24122 known to be exploited?

15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in Apache Software Foundation Tomcat

CVE-2021-24122

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some confi…

Vulnerability class: Information Disclosure

EPSS: 0.614 (98.3th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions Apache Tomcat 10, Apache Tomcat 9, Apache Tomcat 8.5

Weakness classification (CWE)

CWE-200 — Information Disclosure

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64… (x_refsource_MISC)
[tomcat-dev] 20210114 svn commit: r1885488 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml (mailing-list, x_refsource_MLIST)
[tomee-dev] 20210114 Re: Releases? (mailing-list, x_refsource_MLIST)
[oss-security] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure (mailing-list, x_refsource_MLIST)
[announce] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure (mailing-list, x_refsource_MLIST)
[tomcat-dev] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure (mailing-list, x_refsource_MLIST)
[tomcat-users] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure (mailing-list, x_refsource_MLIST)
[tomee-dev] 20210115 CVE-2021-24122 NTFS Information Disclosure Bug (mailing-list, x_refsource_MLIST)
[debian-lts-announce] 20210316 [SECURITY] [DLA 2596-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
www.oracle.com//security-alerts/cpujul2021.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-24122?: CVE-2021-24122 is a vulnerability in Apache Software Foundation Tomcat, classified under Information Disclosure. Published 2021-01-14.
Is CVE-2021-24122 known to be exploited?: 15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.