Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2024-52316

Public on 2024-11-18
Modified on 2024-11-19
Description

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Severity
Medium
See what this means
CVSS v3 Base Score
4.8
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Tomcat9 Extra tomcat 2025-01-21 20:23 ALAS2TOMCAT9-2025-015
Amazon Linux 2023 tomcat10 2025-01-21 23:11 ALAS2023-2025-814
Amazon Linux 2023 tomcat9 2025-01-21 23:11 ALAS2023-2025-813

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
NVD CVSSv3 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2024-52316 Mitre: CVE-2024-52316 FAQs regarding Amazon Linux ALAS/CVE Severity