CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-52316

CVSS 9.8v3.1pub. 2024-11-18upd. 2025-11-07

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

🤖 AI Analysis
How it works

When Apache Tomcat uses a custom ServerAuthContext component as part of Jakarta Authentication (formerly JASPIC), and the component throws an exception during the authentication process without explicitly setting an HTTP response code signaling failure, the server may incorrectly consider the authentication as successfully completed. This is an error of category CWE-391 (Unchecked Error Condition) and CWE-754 (Improper Check for Unusual Exceptional Conditions) — the application does not properly verify the error state and continues processing the request as if the user were authenticated. Apache indicates that no standard Jakarta Authentication components are known to exhibit such behavior, which limits the vulnerability scope to environments using custom implementations.

Impact

An attacker can bypass the authentication mechanism and gain unauthorized access to protected application resources, which may lead to violations of confidentiality, integrity, and availability of data processed by the server.

Mitigation & patch

Apache Tomcat should be updated to version 11.0.0, 10.1.31 or 9.0.96, which contain the fix. Version 8.5.x is marked as EOL and will not receive an official patch — migration to a supported branch is recommended. As a workaround, consider replacing or removing the custom JASPIC ServerAuthContext component that does not explicitly handle HTTP error codes during exceptions.

Who is affected

Apache Tomcat in versions: 11.0.0-M1 through 11.0.0-M26, 10.1.0-M1 through 10.1.30, 9.0.0-M1 through 9.0.95. EOL versions: 8.5.0 through 8.5.100 (and potentially other EOL versions). The vulnerability affects only configurations using a custom JASPIC ServerAuthContext component. It also affects Debian Linux (Apache Tomcat packages).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Tomcat

    APP
    Apache
    11.0.09.0.0 – 9.0.96 (bez)10.1.0 – 10.1.31 (bez)
  • Debian

    OS
    Debian
    11.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki