6.5

CVE-2026-34500

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version >= 9.0.92 < 9.0.117
ApacheTomcat Version >= 10.1.22 < 10.1.54
ApacheTomcat Version >= 11.0.1 < 11.0.21
ApacheTomcat Version11.0.0 Updatemilestone14
ApacheTomcat Version11.0.0 Updatemilestone15
ApacheTomcat Version11.0.0 Updatemilestone16
ApacheTomcat Version11.0.0 Updatemilestone17
ApacheTomcat Version11.0.0 Updatemilestone18
ApacheTomcat Version11.0.0 Updatemilestone19
ApacheTomcat Version11.0.0 Updatemilestone20
ApacheTomcat Version11.0.0 Updatemilestone21
ApacheTomcat Version11.0.0 Updatemilestone22
ApacheTomcat Version11.0.0 Updatemilestone23
ApacheTomcat Version11.0.0 Updatemilestone24
ApacheTomcat Version11.0.0 Updatemilestone25
ApacheTomcat Version11.0.0 Updatemilestone26
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.2% 0.42
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 2.2 4.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.