CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API
First published: Mon Nov 18 2024(Updated: )
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat:tomcat-catalina | >=11.0.0-M1<=11.0.0-M26 | 11.0.1 |
| maven/org.apache.tomcat:tomcat-catalina | >=10.1.0-M1<10.1.30 | 10.1.30 |
| maven/org.apache.tomcat:tomcat-catalina | <9.0.96 | 9.0.96 |
| F5 Traffix Systems Signaling Delivery Controller | =5.2.0 | |
| Tomcat | >=9.0.0<9.0.96 | |
| Tomcat | >=10.1.0<10.1.31 | |
| Tomcat | =11.0.0-milestone1 | |
| Tomcat | =11.0.0-milestone10 | |
| Tomcat | =11.0.0-milestone11 | |
| Tomcat | =11.0.0-milestone12 | |
| Tomcat | =11.0.0-milestone13 | |
| Tomcat | =11.0.0-milestone14 | |
| Tomcat | =11.0.0-milestone15 | |
| Tomcat | =11.0.0-milestone16 | |
| Tomcat | =11.0.0-milestone17 | |
| Tomcat | =11.0.0-milestone18 | |
| Tomcat | =11.0.0-milestone19 | |
| Tomcat | =11.0.0-milestone2 | |
| Tomcat | =11.0.0-milestone20 | |
| Tomcat | =11.0.0-milestone21 | |
| Tomcat | =11.0.0-milestone22 | |
| Tomcat | =11.0.0-milestone23 | |
| Tomcat | =11.0.0-milestone24 | |
| Tomcat | =11.0.0-milestone25 | |
| Tomcat | =11.0.0-milestone26 | |
| Tomcat | =11.0.0-milestone3 | |
| Tomcat | =11.0.0-milestone4 | |
| Tomcat | =11.0.0-milestone5 | |
| Tomcat | =11.0.0-milestone6 | |
| Tomcat | =11.0.0-milestone7 | |
| Tomcat | =11.0.0-milestone8 | |
| Tomcat | =11.0.0-milestone9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
- http://www.openwall.com/lists/oss-security/2024/11/18/2
- https://security.netapp.com/advisory/ntap-20250124-0003/
- https://nvd.nist.gov/vuln/detail/CVE-2024-52316
- https://github.com/apache/tomcat/commit/6d097a66746635df6880fe7662a792156b0eca14
- https://github.com/apache/tomcat/commit/7532f9dc4a8c37ec958f79dc82c4924a6c539223
- https://github.com/apache/tomcat/commit/acc2f01395f895980f5d8a64573fcc1bade13369
- https://security.netapp.com/advisory/ntap-20250124-0003
- https://github.com/advisories/GHSA-xcpr-7mr4-h4xq (Advisory)
- https://my.f5.com/manage/s/article/K000149333
- https://access.redhat.com/errata/RHSA-2025:3609
- https://access.redhat.com/errata/RHSA-2025:3608
- https://access.redhat.com/errata/RHSA-2025:7497
- https://bugzilla.redhat.com/show_bug.cgi?id=2326972
Frequently Asked Questions
What is the severity of CVE-2024-52316?
CVE-2024-52316 has been classified as a moderate severity vulnerability.
How do I fix CVE-2024-52316?
To fix CVE-2024-52316, upgrade to Apache Tomcat version 11.0.1, 10.1.30, or 9.0.96 depending on your current version.
Which versions of Apache Tomcat are affected by CVE-2024-52316?
Apache Tomcat versions earlier than 11.0.1, 10.1.30, and 9.0.96 are affected by CVE-2024-52316.
Is CVE-2024-52316 specific to Apache Tomcat?
Yes, CVE-2024-52316 specifically affects the authentication process in Apache Tomcat when using custom Jakarta Authentication components.
What type of vulnerability is CVE-2024-52316?
CVE-2024-52316 is an unchecked error condition vulnerability that can occur during the authentication process.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-52316
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xcpr-7mr4-h4xq
- agent/software-canonical-lookup
- agent/author
- agent/softwarecombine
- collector/github-advisory
- agent/source
- agent/severity
- agent/description
- agent/trending
- agent/event
- collector/f5-advisory
- source/F5
- agent/software-canonical-lookup-request
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/last-modified-date
- agent/tags
- collector/nvd-api
- package-manager/maven
- vendor/f5
- canonical/f5 traffix systems signaling delivery controller
- version/f5 traffix systems signaling delivery controller/5.2.0
- vendor/apache
- canonical/tomcat
- version/tomcat/9.0.0
- version/tomcat/10.1.0
- version/tomcat/11.0.0-milestone1
- version/tomcat/11.0.0-milestone10
- version/tomcat/11.0.0-milestone11
- version/tomcat/11.0.0-milestone12
- version/tomcat/11.0.0-milestone13
- version/tomcat/11.0.0-milestone14
- version/tomcat/11.0.0-milestone15
- version/tomcat/11.0.0-milestone16
- version/tomcat/11.0.0-milestone17
- version/tomcat/11.0.0-milestone18
- version/tomcat/11.0.0-milestone19
- version/tomcat/11.0.0-milestone2
- version/tomcat/11.0.0-milestone20
- version/tomcat/11.0.0-milestone21
- version/tomcat/11.0.0-milestone22
- version/tomcat/11.0.0-milestone23
- version/tomcat/11.0.0-milestone24
- version/tomcat/11.0.0-milestone25
- version/tomcat/11.0.0-milestone26
- version/tomcat/11.0.0-milestone3
- version/tomcat/11.0.0-milestone4
- version/tomcat/11.0.0-milestone5
- version/tomcat/11.0.0-milestone6
- version/tomcat/11.0.0-milestone7
- version/tomcat/11.0.0-milestone8
- version/tomcat/11.0.0-milestone9