Skip to main content

Unchecked Error Condition

CVE-2024-52316

Severity High
Score 9.8/10

Summary

Unchecked Error Condition vulnerability in Apache Tomcat versions 9.0.0-M1 through 9.0.95, 10.1.0-M1 through 10.1.30, and 11.0.0-M1 through 11.0.0-M26. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) "ServerAuthContext" component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-391 - Unchecked Error Condition

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

Advisory Timeline

  • Published