7.3
CVE-2026-55957
- EPSS 0.46%
- Veröffentlicht 29.06.2026 20:47:12
- Zuletzt bearbeitet 02.07.2026 19:01:45
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.46% | 0.368 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.3 | 3.9 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
CWE-304 Missing Critical Step in Authentication
The product implements an authentication technique, but it skips a step that weakens the technique.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://lists.apache.org/thread/7fk339o5jvd4mcgsf0chbrn4o525ccjh
http://www.openwall.com/lists/oss-security/2026/06/29/26