CVE-2024-52316
CVSS V2 None
CVSS V3 None
Description
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Overview
- CVE ID
- CVE-2024-52316
- Assigner
- apache
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-11-18T11:32:22.072Z
- Last Modified Date
- 2024-11-18T18:03:23.720Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928 | vendor-advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-52316 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52316 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-11-19 13:33:14 | Added to TrackCVE |