CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928	Vendor Advisory Mailing List
http://www.openwall.com/lists/oss-security/2024/11/18/2	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250124-0003/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::

History

15 May 2025, 17:57

Type	Values Removed	Values Added
First Time		Apache Apache tomcat
References	~~() https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928 -~~	() https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928 - Vendor Advisory, Mailing List
References	~~() http://www.openwall.com/lists/oss-security/2024/11/18/2 -~~	() http://www.openwall.com/lists/oss-security/2024/11/18/2 - Mailing List, Third Party Advisory
References	~~() https://security.netapp.com/advisory/ntap-20250124-0003/ -~~	() https://security.netapp.com/advisory/ntap-20250124-0003/ - Third Party Advisory
CWE		CWE-754
CPE		cpe:2.3:a:apache:tomcat:11.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone21:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone24:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone22:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone26:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone23:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::

24 Jan 2025, 20:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20250124-0003/ -

Information

Published : 2024-11-18 12:15

Updated : 2025-05-15 17:57

NVD link : CVE-2024-52316

Mitre link : CVE-2024-52316

CVE.ORG link : CVE-2024-52316

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-391

Unchecked Error Condition

CWE-754

Improper Check for Unusual or Exceptional Conditions

9.8 /10