CVE-2024-52316

CWE-391CWE-754CWE-2488 documents7 sources
Severity
9.8CRITICAL
EPSS
1.8%
top 17.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache TomcatApache Software Foundation Apache TomcatDebian Debian Linux
Timeline
PublishedNov 18
Latest updateApr 15

Description

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

NVDapache/tomcat9.0.09.0.96+2
Mavenorg.apache.tomcat:tomcat-catalina10.1.0-M110.1.30+2
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.0-M26+3
Debiantomcat9< 9.0.43-2~deb11u11+3
Debiantomcat10< 10.1.34-0+deb12u1+2

Also affects: Debian Linux 11.0

🔴Vulnerability Details

4
CVEList
Apache Tomcat: Authentication bypass when using Jakarta Authentication API2024-11-18
GHSA
Apache Tomcat - Authentication Bypass2024-11-18
OSV
Apache Tomcat - Authentication Bypass2024-11-18
OSV
CVE-2024-52316: Unchecked Error Condition vulnerability in Apache Tomcat2024-11-18

📋Vendor Advisories

3
Oracle
Oracle Oracle Hospitality Applications Risk Matrix: Next-Gen SPMS (Apache Tomcat) — CVE-2024-523162025-04-15
Red Hat
tomcat: Apache Tomcat: Authentication bypass when using Jakarta Authentication API2024-11-18
Debian
CVE-2024-52316: tomcat10 - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configure...2024
CVE-2024-52316 (CRITICAL CVSS 9.8) | Unchecked Error Condition vulnerabi | cvebase.io