Today > | 5 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-52316

Nov. 21, 2024, 9:46 a.m.

CVSS Score

9.8 / 10

Product(s) Impacted

Apache Tomcat

  • 11.0.0-M1 - 11.0.0-M26
  • 10.1.0-M1 - 10.1.30
  • 9.0.0-M1 - 9.0.95

Description

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Weaknesses

CWE-391
Unchecked Error Condition

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

CWE ID: 391

Date

Published: Nov. 18, 2024, 12:15 p.m.

Last Modified: Nov. 21, 2024, 9:46 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score
9.8
Exploitability Score
3.9
Impact Score
5.9
Base Severity
CRITICAL
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://lists.apache.org/ security@apache.org

http://www.openwall.com/ af854a3a-2127-422b-91ae-364da2661108