6.5
CVE-2021-30640
- EPSS 9.89%
- Veröffentlicht 12.07.2021 15:15:08
- Zuletzt bearbeitet 21.11.2024 06:04:20
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Auth weakness in JNDIRealm
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oracle ≫ Communications Cloud Native Core Policy Version1.14.0
Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0 <= 8.5.0
Oracle ≫ Communications Pricing Design Center Version12.0.0.3.0
Oracle ≫ Hospitality Cruise Shipboard Property Management System Version20.1.0
Oracle ≫ Tekelec Platform Distribution Version >= 7.4.0 <= 7.7.1
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Debian ≫ Debian Linux Version11.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 9.89% | 0.95 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.2 | 4.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
|
| nvd@nist.gov | 5.8 | 8.6 | 4.9 |
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20210827-0007/
https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
https://www.debian.org/security/2021/dsa-4952
https://www.debian.org/security/2021/dsa-4986