| Name | CVE-2024-52316 |
| Description | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| tomcat10 (PTS) | bookworm (security), bookworm | 10.1.6-1+deb12u2 | vulnerable |
| sid, trixie | 10.1.34-1 | fixed |
| tomcat7 (PTS) | jessie, jessie (lts) | 7.0.56-3+really7.0.109-1+deb8u6 | fixed |
| stretch | 7.0.75-1 | fixed |
| tomcat8 (PTS) | jessie, jessie (lts) | 8.0.14-1+deb8u28 | fixed |
| stretch (security) | 8.5.54-0+deb9u8 | vulnerable |
| stretch (lts), stretch | 8.5.54-0+deb9u15 | vulnerable |
| tomcat9 (PTS) | buster (security), buster, buster (lts) | 9.0.31-1~deb10u12 | vulnerable |
| bullseye (security), bullseye | 9.0.43-2~deb11u10 | vulnerable |
| bookworm | 9.0.70-2 | fixed |
| sid, trixie | 9.0.95-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| tomcat10 | source | (unstable) | 10.1.31-1 | | | |
| tomcat7 | source | (unstable) | (not affected) | | | |
| tomcat8 | source | jessie | (not affected) | | | |
| tomcat8 | source | (unstable) | (unfixed) | | | |
| tomcat9 | source | (unstable) | 9.0.70-2 | | | |
Notes
[bookworm] - tomcat10 <postponed> (Minor issue, fixed along in next DSA)
https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
https://github.com/apache/tomcat/commit/acc2f01395f895980f5d8a64573fcc1bade13369 (10.1.31)
https://github.com/apache/tomcat/commit/7532f9dc4a8c37ec958f79dc82c4924a6c539223 (9.0.96)
Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
- tomcat7 <not-affected> (JASPIC support introduced in 8.5)
[stretch] - tomcat8 <postponed> (Minor issue, no known Jakarta Authentication components affected)
[jessie] - tomcat8 <not-affected> (JASPIC support introduced in 8.5)