Mageia 7: MGASA-2021-0072 Moderate: Tomcat JSP Code Exposure
mageia
February 6, 2021
When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations
Summary
When serving resources from a network location using the NTFS file system it
was possible to bypass security constraints and/or view the source code for
JSPs in some configurations. The root cause was the unexpected behaviour of the
JRE API File.getCanonicalPath() which in turn was caused by the inconsistent
behaviour of the Windows API (FindFirstFileW) in some circumstances
(CVE-2021-24122).
References
- https://bugs.mageia.org/show_bug.cgi?id=28093
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40
- https://www.openwall.com/lists/oss-security/2021/01/14/1
- https://www.cve.org/CVERecord?id=CVE-2021-24122
Resolution
SRPMS
- 7/core/tomcat-9.0.39-1.1.mga7
PREVIOUS
NEXT
Publication date: 06 Feb 2021
URL: https://advisories.mageia.org/MGASA-2021-0072.html
Type: security
CVE: CVE-2021-24122
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!