First published: Mon Jul 12 2021(Updated: )
Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by improper authentication validation in the JNDI Realm. By sending a specially-crafted request using various user names, an attacker could exploit this vulnerability to bypass some of the protection provided by the LockOut Realm.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el7 | 0:9.0.50-3.redhat_00004.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el7 | 0:1.2.30-3.redhat_3.el7 |
redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el7 | 0:1.1.8-4.Final_redhat_00004.1.el7 |
redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el8 | 0:9.0.50-3.redhat_00004.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el8 | 0:1.2.30-3.redhat_3.el8 |
redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el8 | 0:1.1.8-4.Final_redhat_00004.1.el8 |
IBM DRM | <=2.0.6 | |
redhat/tomcat | <10.0.6 | 10.0.6 |
redhat/tomcat | <9.0.46 | 9.0.46 |
redhat/tomcat | <8.5.66 | 8.5.66 |
redhat/tomcat | <7.0.109 | 7.0.109 |
ubuntu/tomcat9 | <9.0.16-3ubuntu0.18.04.2 | 9.0.16-3ubuntu0.18.04.2 |
ubuntu/tomcat9 | <9.0.31-1ubuntu0.2 | 9.0.31-1ubuntu0.2 |
debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 | |
Apache Tomcat | >=7.0.0<7.0.109 | |
Apache Tomcat | >=8.5.0<8.5.66 | |
Apache Tomcat | >=9.0.0<9.0.46 | |
Apache Tomcat | >=10.0.0<10.0.6 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle Communications Diameter Signaling Router | >=8.0.0<=8.5.0 | |
Oracle Communications Pricing Design Center | =12.0.0.3.0 | |
Oracle Hospitality Cruise Shipboard Property Management System | =20.1.0 | |
Oracle Tekelec Platform Distribution | >=7.4.0<=7.7.1 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-30640 is a vulnerability in the JNDI Realm of Apache Tomcat that allows an attacker to bypass security restrictions.
CVE-2021-30640 allows a remote attacker to bypass security restrictions in Apache Tomcat.
CVE-2021-30640 has a severity rating of 7.5 (high).
Affected versions include Apache Tomcat 7.0.0 to 7.0.109, 8.5.0 to 8.5.66, 9.0.0 to 9.0.46, and 10.0.0 to 10.0.6.
To fix CVE-2021-30640, upgrade to Apache Tomcat versions 7.0.110, 8.5.67, 9.0.47, or 10.0.7.