GHSA-36qh-35cm-5w2w

Suggest an improvement
Source
https://github.com/advisories/GHSA-36qh-35cm-5w2w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-36qh-35cm-5w2w/GHSA-36qh-35cm-5w2w.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-36qh-35cm-5w2w
Aliases
Published
2021-08-13T15:21:24Z
Modified
2024-02-19T05:20:58.052305Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Authentication Bypass by Alternate Name in Apache Tomcat
Details

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Database specific
{
    "nvd_published_at": "2021-07-12T15:15:00Z",
    "cwe_ids": [
        "CWE-116",
        "CWE-287",
        "CWE-289"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-13T19:21:02Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0-M1
Fixed
10.0.5

Affected versions

10.*

10.0.0-M1
10.0.0-M3
10.0.0-M4
10.0.0-M5
10.0.0-M6
10.0.0-M7
10.0.0-M8
10.0.0-M9
10.0.0-M10
10.0.0
10.0.2
10.0.4

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0M1
Fixed
9.0.45

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.65

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.19
8.5.20
8.5.21
8.5.23
8.5.24
8.5.27
8.5.28
8.5.29
8.5.30
8.5.31
8.5.32
8.5.33
8.5.34
8.5.35
8.5.37
8.5.38
8.5.39
8.5.40
8.5.41
8.5.42
8.5.43
8.5.45
8.5.46
8.5.47
8.5.49
8.5.50
8.5.51
8.5.53
8.5.54
8.5.55
8.5.56
8.5.57
8.5.58
8.5.59
8.5.60
8.5.61
8.5.63
8.5.64