GHSA-xcpr-7mr4-h4xq

Source

https://github.com/advisories/GHSA-xcpr-7mr4-h4xq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-xcpr-7mr4-h4xq/GHSA-xcpr-7mr4-h4xq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xcpr-7mr4-h4xq

Aliases

Published

2024-11-18T12:30:43Z

Modified

2024-11-20T07:59:13.957677Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Tomcat - Authentication Bypass

Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

References

Affected packages

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.96

Affected versions

7.*

7.0.0

7.0.2

7.0.4

7.0.5

7.0.6

7.0.8

7.0.11

7.0.12

7.0.14

7.0.16

7.0.19

7.0.20

7.0.21

7.0.22

7.0.23

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.30

7.0.32

7.0.33

7.0.34

7.0.35

7.0.37

7.0.39

7.0.40

7.0.41

7.0.42

7.0.47

7.0.50

7.0.52

7.0.53

7.0.54

7.0.55

7.0.56

7.0.57

7.0.59

7.0.61

7.0.62

7.0.63

7.0.64

7.0.65

7.0.67

7.0.68

7.0.69

7.0.70

7.0.72

7.0.73

7.0.75

7.0.76

7.0.77

7.0.78

7.0.79

7.0.81

7.0.82

7.0.84

7.0.85

7.0.86

7.0.88

7.0.90

7.0.91

7.0.92

7.0.93

7.0.94

7.0.96

7.0.99

7.0.100

7.0.103

7.0.104

7.0.105

7.0.106

7.0.107

7.0.108

7.0.109

8.*

8.0.0-RC1

8.0.0-RC3

8.0.0-RC5

8.0.0-RC10

8.0.1

8.0.3

8.0.5

8.0.8

8.0.9

8.0.11

8.0.12

8.0.14

8.0.15

8.0.17

8.0.18

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.26

8.0.27

8.0.28

8.0.29

8.0.30

8.0.32

8.0.33

8.0.35

8.0.36

8.0.37

8.0.38

8.0.39

8.0.41

8.0.42

8.0.43

8.0.44

8.0.45

8.0.46

8.0.47

8.0.48

8.0.49

8.0.50

8.0.51

8.0.52

8.0.53

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.8

8.5.9

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.19

8.5.20

8.5.21

8.5.23

8.5.24

8.5.27

8.5.28

8.5.29

8.5.30

8.5.31

8.5.32

8.5.33

8.5.34

8.5.35

8.5.37

8.5.38

8.5.39

8.5.40

8.5.41

8.5.42

8.5.43

8.5.45

8.5.46

8.5.47

8.5.49

8.5.50

8.5.51

8.5.53

8.5.54

8.5.55

8.5.56

8.5.57

8.5.58

8.5.59

8.5.60

8.5.61

8.5.63

8.5.64

8.5.65

8.5.66

8.5.68

8.5.69

8.5.70

8.5.71

8.5.72

8.5.73

8.5.75

8.5.76

8.5.77

8.5.78

8.5.79

8.5.81

8.5.82

8.5.83

8.5.84

8.5.85

8.5.86

8.5.87

8.5.88

8.5.89

8.5.90

8.5.91

8.5.92

8.5.93

8.5.94

8.5.95

8.5.96

8.5.97

8.5.98

8.5.99

8.5.100

9.*

9.0.0.M1

9.0.0.M3

9.0.0.M4

9.0.0.M6

9.0.0.M8

9.0.0.M9

9.0.0.M10

9.0.0.M11

9.0.0.M13

9.0.0.M15

9.0.0.M17

9.0.0.M18

9.0.0.M19

9.0.0.M20

9.0.0.M21

9.0.0.M22

9.0.0.M25

9.0.0.M26

9.0.0.M27

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

9.0.69

9.0.70

9.0.71

9.0.72

9.0.73

9.0.74

9.0.75

9.0.76

9.0.78

9.0.79

9.0.80

9.0.81

9.0.82

9.0.83

9.0.84

9.0.85

9.0.86

9.0.87

9.0.88

9.0.89

9.0.90

9.0.91

9.0.93

9.0.94

9.0.95

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0-M1

Fixed

10.1.30

Affected versions

10.*

10.1.0-M1

10.1.0-M2

10.1.0-M4

10.1.0-M5

10.1.0-M6

10.1.0-M7

10.1.0-M8

10.1.0-M10

10.1.0-M11

10.1.0-M12

10.1.0-M14

10.1.0-M15

10.1.0-M16

10.1.0-M17

10.1.0

10.1.1

10.1.2

10.1.4

10.1.5

10.1.6

10.1.7

10.1.8

10.1.9

10.1.10

10.1.11

10.1.12

10.1.13

10.1.14

10.1.15

10.1.16

10.1.17

10.1.18

10.1.19

10.1.20

10.1.23

10.1.24

10.1.25

10.1.26

10.1.28

10.1.29

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M1

Fixed

11.0.1

Affected versions

11.*

11.0.0-M1

11.0.0-M3

11.0.0-M4

11.0.0-M5

11.0.0-M6

11.0.0-M7

11.0.0-M9

11.0.0-M10

11.0.0-M11

11.0.0-M12

11.0.0-M13

11.0.0-M14

11.0.0-M15

11.0.0-M16

11.0.0-M17

11.0.0-M18

11.0.0-M19

11.0.0-M20

11.0.0-M21

11.0.0-M22

11.0.0-M24

11.0.0-M25

11.0.0-M26

11.0.0

Database specific

{
    "last_known_affected_version_range": "<= 11.0.0-M26"
}