CVE-2024-52316 Apache Tomcat - Authentication Bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M26
Apache Tomcat 10.1.0-M1 to 10.1.30
Apache Tomcat 9.0.0-M1 to 9.0.95
Description:
If Tomcat was configured to use a custom Jakarta Authentication
(formerly JASPIC) ServerAuthContext component which may throw an
exception during the authentication process without explicitly setting
an HTTP status to indicate failure, the authentication may not have
failed, allowing the user to bypass the authentication process. There
are no known Jakarta Authentication components that behave in this way.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0 or later
- Upgrade to Apache Tomcat 10.1.31 or later
- Upgrade to Apache Tomcat 9.0.96 or later
Credit:
This vulnerability identified by the Tomcat security team
History:
2024-11-18 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
