Apache Tomcat Unchecked Error Condition in Jakarta Authentication
CVE-2024-52316 Published on November 18, 2024
Apache Tomcat: Authentication bypass when using Jakarta Authentication API
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Vulnerability Analysis
CVE-2024-52316 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Unchecked Error Condition
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
Products Associated with CVE-2024-52316
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-52316 are published in these products:
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.0-M26 is affected.
- Version 10.1.0-M1, <= 10.1.30 is affected.
- Version 9.0.0-M1, <= 9.0.95 is affected.
- Version 8.5.0, <= 8.5.100 is affected.
- Version 10.0.0-M1, <= 10.0.27 is unknown.
- Version 9.0.0-M1, <= 9.0.95 is affected.
- Version 10.1.0-M1, <= 10.1.30 is affected.
- Version 11.0.0-M1, <= 11.0.0-M26 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.