CVE-2021-24122: 
Java vulnerability analysis and mitigation

CVE-2021-24122 is a vulnerability discovered in Apache Tomcat affecting versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59, and 7.0.0 to 7.0.106. The vulnerability was disclosed on January 14, 2021, and involves JSP source code disclosure when serving resources from a network location using the NTFS file system (Apache Security).

The vulnerability stems from unexpected behavior of the JRE API File.getCanonicalPath() which was caused by inconsistent behavior of the Windows API (FindFirstFileW) in certain circumstances. This could lead to security constraint bypasses and exposure of JSP source code when specific configurations are used (Apache Security, Rapid7).

When successfully exploited, the vulnerability allows attackers to bypass security constraints and view the source code for JSPs in certain configurations. This information disclosure vulnerability could potentially expose sensitive application logic and security mechanisms (Apache Security).

Users should upgrade to Apache Tomcat versions 10.0.0-M10 or later, 9.0.40 or later, 8.5.60 or later, or 7.0.107 or later. These versions contain the necessary security fixes to address the vulnerability (Apache Security).