CVE-2024-52316

EPSS 0.99%
Published 18.11.2024 12:15:18
Last modified 08.08.2025 12:15:26
Source security@apache.org
Teams watchlist Login
Open Login

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 though 8.5.100.


Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Affected products Warnungen 0 Metrics 2 CWE 2 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 9.0.0 < 9.0.96

Apache ≫ Tomcat Version >= 10.1.0 < 10.1.31

Apache ≫ Tomcat Version11.0.0 Updatemilestone1

Apache ≫ Tomcat Version11.0.0 Updatemilestone10

Apache ≫ Tomcat Version11.0.0 Updatemilestone11

Apache ≫ Tomcat Version11.0.0 Updatemilestone12

Apache ≫ Tomcat Version11.0.0 Updatemilestone13

Apache ≫ Tomcat Version11.0.0 Updatemilestone14

Apache ≫ Tomcat Version11.0.0 Updatemilestone15

Apache ≫ Tomcat Version11.0.0 Updatemilestone16

Apache ≫ Tomcat Version11.0.0 Updatemilestone17

Apache ≫ Tomcat Version11.0.0 Updatemilestone18

Apache ≫ Tomcat Version11.0.0 Updatemilestone19

Apache ≫ Tomcat Version11.0.0 Updatemilestone2

Apache ≫ Tomcat Version11.0.0 Updatemilestone20

Apache ≫ Tomcat Version11.0.0 Updatemilestone21

Apache ≫ Tomcat Version11.0.0 Updatemilestone22

Apache ≫ Tomcat Version11.0.0 Updatemilestone23

Apache ≫ Tomcat Version11.0.0 Updatemilestone24

Apache ≫ Tomcat Version11.0.0 Updatemilestone25

Apache ≫ Tomcat Version11.0.0 Updatemilestone26

Apache ≫ Tomcat Version11.0.0 Updatemilestone3

Apache ≫ Tomcat Version11.0.0 Updatemilestone4

Apache ≫ Tomcat Version11.0.0 Updatemilestone5

Apache ≫ Tomcat Version11.0.0 Updatemilestone6

Apache ≫ Tomcat Version11.0.0 Updatemilestone7

Apache ≫ Tomcat Version11.0.0 Updatemilestone8

Apache ≫ Tomcat Version11.0.0 Updatemilestone9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.99%	0.761

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-391 Unchecked Error Condition

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/11/18/2

Third Party Advisory

Mailing List

https://security.netapp.com/advisory/ntap-20250124-0003/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-52316

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52316

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52316

EUVD