CVE-2024-50379 - Apache Tomcat RCE via TOCTOU (JSP Compilation)
Severity: None2025-12-19
Abstract
Apache Tomcat was affected by a TOCTOU (Time-of-check Time-of-use) race condition vulnerability during JSP compilation, which could allow Remote Code Execution (RCE) when the default servlet is writable and the file system is case-insensitive. This vulnerability is tracked under CVE-2024-50379 and affects versions: 11.0.0-M1 through 11.0.1, 10.1.0-M1 through 10.1.33, and 9.0.0.M1 through 9.0.97. The issue was addressed in versions 11.0.2, 10.1.34, and 9.0.98.
Oxygen products incorporate Apache Tomcat components internally or as part of embedded servers. This advisory addresses the potential implications of this vulnerability on Oxygen deployments.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v8.0 and older | None | N/A |
| Oxygen Feedback v5.1.1 and older | None | Oxygen Feedback 5.1.2 build 2025012012 |
| Oxygen Web Author v27.1 and older | None | N/A |
Detail
CVE-2024-50379
Severity: High
CVSS Score: 8.1
CVE-2024-50379 describes a race condition in Apache Tomcat's JSP compilation logic that could lead to Remote Code Execution (RCE) on systems where: (1) the default servlet is write-enabled, and (2) the underlying filesystem is case-insensitive (e.g., Windows, macOS by default).
Oxygen Content Fusion and Web Author are delivered using Linux-based container images (Ubuntu) and are deployed on case-sensitive filesystems. Additionally, Tomcat’s default servlet remains in its default read-only configuration.
Oxygen Feedback is also packaged in Linux containers and does not expose writable configurations for the default servlet. Despite the low risk, tomcat-embed-core was upgraded to version 9.0.98 as a precaution.
Based on the above, no Oxygen product is affected by this vulnerability in a practical or exploitable way.
