Unchecked Error Condition
CVE-2024-52316
Summary
Unchecked Error Condition vulnerability in Apache Tomcat versions 9.0.0-M1 through 9.0.95, 10.1.0-M1 through 10.1.30, and 11.0.0-M1 through 11.0.0-M26. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) "ServerAuthContext" component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-391 - Unchecked Error Condition
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
References
Advisory Timeline
- Published