CVE-2021-24122: Information Exposure

January 14, 2021 (updated November 9, 2023)

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

References

lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-24122

Detect and mitigate CVE-2021-24122 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →