GHSA-xcpr-7mr4-h4xq

Suggest an improvement
Source
https://github.com/advisories/GHSA-xcpr-7mr4-h4xq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xcpr-7mr4-h4xq
Aliases
Published
2024-11-18T12:30:43Z
Modified
2024-11-20T07:57:13.659034Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Tomcat - Authentication Bypass
Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Database specific
{
    "nvd_published_at": "2024-11-18T12:15:18Z",
    "cwe_ids": [
        "CWE-391"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T23:48:03Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.96

Affected versions

7.*

7.0.0
7.0.2
7.0.4
7.0.5
7.0.6
7.0.8
7.0.11
7.0.12
7.0.14
7.0.16
7.0.19
7.0.20
7.0.21
7.0.22
7.0.23
7.0.25
7.0.26
7.0.27
7.0.28
7.0.29
7.0.30
7.0.32
7.0.33
7.0.34
7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70
7.0.72
7.0.73
7.0.75
7.0.76
7.0.77
7.0.78
7.0.79
7.0.81
7.0.82
7.0.84
7.0.85
7.0.86
7.0.88
7.0.90
7.0.91
7.0.92
7.0.93
7.0.94
7.0.96
7.0.99
7.0.100
7.0.103
7.0.104
7.0.105
7.0.106
7.0.107
7.0.108
7.0.109

8.*

8.0.0-RC1
8.0.0-RC3
8.0.0-RC5
8.0.0-RC10
8.0.1
8.0.3
8.0.5
8.0.8
8.0.9
8.0.11
8.0.12
8.0.14
8.0.15
8.0.17
8.0.18
8.0.20
8.0.21
8.0.22
8.0.23
8.0.24
8.0.26
8.0.27
8.0.28
8.0.29
8.0.30
8.0.32
8.0.33
8.0.35
8.0.36
8.0.37
8.0.38
8.0.39
8.0.41
8.0.42
8.0.43
8.0.44
8.0.45
8.0.46
8.0.47
8.0.48
8.0.49
8.0.50
8.0.51
8.0.52
8.0.53
8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.19
8.5.20
8.5.21
8.5.23
8.5.24
8.5.27
8.5.28
8.5.29
8.5.30
8.5.31
8.5.32
8.5.33
8.5.34
8.5.35
8.5.37
8.5.38
8.5.39
8.5.40
8.5.41
8.5.42
8.5.43
8.5.45
8.5.46
8.5.47
8.5.49
8.5.50
8.5.51
8.5.53
8.5.54
8.5.55
8.5.56
8.5.57
8.5.58
8.5.59
8.5.60
8.5.61
8.5.63
8.5.64
8.5.65
8.5.66
8.5.68
8.5.69
8.5.70
8.5.71
8.5.72
8.5.73
8.5.75
8.5.76
8.5.77
8.5.78
8.5.79
8.5.81
8.5.82
8.5.83
8.5.84
8.5.85
8.5.86
8.5.87
8.5.88
8.5.89
8.5.90
8.5.91
8.5.92
8.5.93
8.5.94
8.5.95
8.5.96
8.5.97
8.5.98
8.5.99
8.5.100

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80
9.0.81
9.0.82
9.0.83
9.0.84
9.0.85
9.0.86
9.0.87
9.0.88
9.0.89
9.0.90
9.0.91
9.0.93
9.0.94
9.0.95

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.1.0-M1
Fixed
10.1.30

Affected versions

10.*

10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.9
10.1.10
10.1.11
10.1.12
10.1.13
10.1.14
10.1.15
10.1.16
10.1.17
10.1.18
10.1.19
10.1.20
10.1.23
10.1.24
10.1.25
10.1.26
10.1.28
10.1.29

Maven / org.apache.tomcat:tomcat-catalina

Package

Name
org.apache.tomcat:tomcat-catalina
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0-M1
Fixed
11.0.1

Affected versions

11.*

11.0.0-M1
11.0.0-M3
11.0.0-M4
11.0.0-M5
11.0.0-M6
11.0.0-M7
11.0.0-M9
11.0.0-M10
11.0.0-M11
11.0.0-M12
11.0.0-M13
11.0.0-M14
11.0.0-M15
11.0.0-M16
11.0.0-M17
11.0.0-M18
11.0.0-M19
11.0.0-M20
11.0.0-M21
11.0.0-M22
11.0.0-M24
11.0.0-M25
11.0.0-M26
11.0.0

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-M26"
}