CVE-2021-30640

CWE-116 CWE-287 — Improper Authentication CWE-28911 documents9 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 69.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Oracle Communications Diameter Signaling Router Oracle Tekelec Platform Distribution +5 more

Timeline

PublishedJul 12

Latest updateMar 31

Description

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:NExploitability: 2.2 | Impact: 4.2

Affected Packages10 packages

▶NVDapache/tomcat7.0.0 — 7.0.109+3

▶Mavenorg.apache.tomcat:tomcat10.0.0-M1 — 10.0.5+2

▶CVEListV5apache_software_foundation/apache_tomcat4 versions+3

▶Debiantomcat9< 9.0.43-2~deb11u1+3

▶Ubuntutomcat9< 9.0.16-3ubuntu0.18.04.2+1

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

tomcat9 vulnerabilities↗2022-03-31

▶

OSV

Authentication Bypass by Alternate Name in Apache Tomcat↗2021-08-13

▶

GHSA

Authentication Bypass by Alternate Name in Apache Tomcat↗2021-08-13

▶

OSV

CVE-2021-30640: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of t↗2021-07-12

▶

CVEList

Auth weakness in JNDIRealm↗2021-07-12

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2022-03-31

▶

Oracle

Oracle Oracle Communications Risk Matrix: Console (Apache Tomcat) — CVE-2021-30640↗2021-10-15

▶

Red Hat

tomcat: JNDI realm authentication weakness↗2021-07-12

▶

Debian

CVE-2021-30640: tomcat9 - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authent...↗2021

▶

Apache

Apache tomcat: CVE-2021-30640↗

▶