Apache Tomcat, a widely used open-source web server and servlet container, is essential for hosting Java applications. It features a critical authentication bypass vulnerability (CVE-2024-52316) that can allow unauthorized access under specific configurations.
| Product | Apache Tomcat |
| Date | 2024-11-25 15:21:18 |
| Information |
|
Technical Summary
CVE-2024-52316 is a vulnerability related to improper error handling that affects the following Tomcat versions:
- 11.0.0-M1 through 11.0.0-M26
- 10.1.0-M1 through 10.1.30
- 9.0.0-M1 through 9.0.95
If a custom Jakarta Authentication ServerAuthContext component encounters an exception during authentication but does not explicitly set an HTTP status code for failure, the authentication may inadvertently succeed, allowing unauthorized access.
Although there are currently no known Jakarta Authentication components that exhibit this behavior, systems using custom implementations are at risk. The vulnerability has been fixed in Tomcat versions 11.0.0, 10.1.31, and 9.0.96.
Recommendations
- Update Apache Tomcat to the latest patched versions:
- 11.0.0 for 11.x series users.
- 10.1.31 for 10.x series users.
- 9.0.96 for 9.x series users.
[Callforaction-THREAT-Footer]
