CVE-2024-52316

18.11.2024, 12:15

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC)ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known JakartaAuthentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apache	CNA	---				---
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 67%

Vendor	Product	Version
apache	tomcat	9.0.0 ≤ 𝑥 < 9.0.96
apache	tomcat	10.1.0 ≤ 𝑥 < 10.1.31
apache	tomcat	11.0.0:milestone1
apache	tomcat	11.0.0:milestone10
apache	tomcat	11.0.0:milestone11
apache	tomcat	11.0.0:milestone12
apache	tomcat	11.0.0:milestone13
apache	tomcat	11.0.0:milestone14
apache	tomcat	11.0.0:milestone15
apache	tomcat	11.0.0:milestone16
apache	tomcat	11.0.0:milestone17
apache	tomcat	11.0.0:milestone18
apache	tomcat	11.0.0:milestone19
apache	tomcat	11.0.0:milestone2
apache	tomcat	11.0.0:milestone20
apache	tomcat	11.0.0:milestone21
apache	tomcat	11.0.0:milestone22
apache	tomcat	11.0.0:milestone23
apache	tomcat	11.0.0:milestone24
apache	tomcat	11.0.0:milestone25
apache	tomcat	11.0.0:milestone26
apache	tomcat	11.0.0:milestone3
apache	tomcat	11.0.0:milestone4
apache	tomcat	11.0.0:milestone5
apache	tomcat	11.0.0:milestone6
apache	tomcat	11.0.0:milestone7
apache	tomcat	11.0.0:milestone8
apache	tomcat	11.0.0:milestone9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.34-0+deb12u2 fixed
bookworm (security)	10.1.34-0+deb12u2 fixed
trixie	10.1.40-1 fixed
sid	10.1.40-1 fixed

tomcat9

bullseye	vulnerable
bullseye (security)	9.0.43-2~deb11u12 fixed
bookworm	9.0.70-2 fixed
trixie	9.0.95-1 fixed
sid	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat10

plucky	not-affected
oracular	ignored
noble	needed
jammy	dne
focal	dne

tomcat6

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage
trusty	needs-triage

tomcat7

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

tomcat8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage

tomcat9

plucky	needs-triage
oracular	ignored
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

Common Weakness Enumeration

References

https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928

http://www.openwall.com/lists/oss-security/2024/11/18/2

https://security.netapp.com/advisory/ntap-20250124-0003/