CVE-2024-52316

Unchecked Error Condition (CWE-391)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An Unchecked Error Condition vulnerability exists in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component that may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail. This could potentially allow a user to bypass the authentication process. It's important to note that there are no known Jakarta Authentication components that behave in this way.

Impact

The potential impact of this vulnerability is a bypass of the authentication process. This could lead to unauthorized access to protected resources or functionality within applications running on affected Tomcat servers. The CVSS v3.1 base score is 4.8, indicating a medium severity. The confidentiality and integrity impacts are both rated as LOW, while there is no impact on availability. The attack vector is NETWORK, requiring no user interaction, but the attack complexity is HIGH, which may limit the ease of exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are recommended to upgrade to Apache Tomcat version 11.0.0, 10.1.31, or 9.0.96, which fix the issue. The affected versions are: - 11.0.0-M1 through 11.0.0-M26 - 10.1.0-M1 through 10.1.30 - 9.0.0-M1 through 9.0.95

Mitigation

The primary mitigation is to upgrade to the patched versions of Apache Tomcat: 1. For Tomcat 11.x users: Upgrade to version 11.0.0 2. For Tomcat 10.x users: Upgrade to version 10.1.31 3. For Tomcat 9.x users: Upgrade to version 9.0.96 If immediate patching is not possible, consider the following: 1. Review and assess any custom Jakarta Authentication (JASPIC) ServerAuthContext components in use to ensure they properly handle exceptions and set appropriate HTTP status codes for authentication failures. 2. Monitor authentication logs for any suspicious activities or unexpected authentication successes. 3. Implement additional network security measures to restrict access to Tomcat servers where possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-52316. See article

Nov 18, 2024 at 12:05 PM / Vulners.com RSS Feed
CVE Assignment

NVD published the first details for CVE-2024-52316

Nov 18, 2024 at 12:15 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 18, 2024 at 12:21 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 18, 2024 at 12:30 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-52316).

Nov 18, 2024 at 2:55 PM
CVSS

A CVSS base score of 4.8 has been assigned.

Nov 18, 2024 at 2:55 PM / redhat-cve-advisories
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 18, 2024 at 3:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (211506)

Nov 18, 2024 at 6:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (211504)

Nov 18, 2024 at 6:15 PM
Static CVE Timeline Graph

Affected Systems

Apache/tomcat
+null more

Patches

bugzilla.redhat.com
+null more

Vendor Advisory

[GHSA-xcpr-7mr4-h4xq] Apache Tomcat - Authentication Bypass
GitHub Security Advisory: GHSA-xcpr-7mr4-h4xq Release Date: 2024-11-18 Update Date: 2024-11-18 Severity: Critical CVE-2024-52316 Base Score: 9.8 Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Package Information Package: org.apache.tomcat:tomcat-catalina Affected Versions: Patched Versions: 9.0.96 Description Unchecked Error Condition vulnerability in Apache Tomcat.

News

9 - CVE-2024-52316
Currently trending CVE - hypeScore: 3 - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indic
CVE-2024-52316 : Unchecked Error Condition vulnerability in Apache Tomcat (19th Nov 2024)
Preface: Apache Tomcat is one of the top technologies in Java developers’ tech stacks—and for good reason. According to the 2024 Java Developer Productivity Report, 36% of Java developers use Apache Tomcat as their application server. Background: Apache Tomcat (called “Tomcat” for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. Jakarta is one of their project under which they have developed tomcat servlet container. Jakarta Authentication defines a general low-level SPI for authentication mechanisms, which are controllers that interact with a caller and a container’s environment to obtain the caller’s credentials, validate these, and pass an authenticated identity (such as name and groups) to the container. Vulnerability details: Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process.
famixcm/CVE-2024-52316
By manipulating with an unknown input, a remote code execution vulnerability can be exploited. It is rated critical.
Apache Tomcat - Authentication Bypass
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from …
Trio of Apache Tomcat Flaws Disclosed: Authentication Bypass, HTTP/2 Request Mix-Up, and XSS Flaw
These vulnerabilities, ranging from authentication bypass to potential cross-site scripting (XSS) attacks, could leave numerous web applications exposed to malicious actors. The advisory describes the issue: “ If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process.
See 20 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI