CVE-2024-52316

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.0-M26 Apache Tomcat versions 10.1.0-M1 through 10.1.30 Apache Tomcat versions 9.0.0-M1 through 9.0.95

Description The issue is related to an Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This vulnerability could potentially allow a remote attacker to bypass the authentication process and cause a denial of service.

Recommendations To resolve the issue, upgrade to version 11.0.0, 10.1.31, or 9.0.96, which fix the issue. For versions 11.0.0-M1 through 11.0.0-M26, upgrade to version 11.0.0. For versions 10.1.0-M1 through 10.1.30, upgrade to version 10.1.31. For versions 9.0.0-M1 through 9.0.95, upgrade to version 9.0.96.