Skip to main content

Improper Encoding or Escaping of Output


Severity Medium
Score 6.5/10


A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 7.0.X Before 7.0.109, 8.X before 8.5.66, 9.0.X before 9.0.46, and before 10.0.6.

  • HIGH
  • HIGH
  • NONE
  • NONE
  • LOW
  • NONE

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Advisory Timeline

  • Published