CVE-2024-52316
Authentication Bypass vulnerability in tomcat-catalina (Maven)
What is CVE-2024-52316 About?
This vulnerability in Apache Tomcat affects custom Jakarta Authentication ServerAuthContext components that may throw an exception during authentication without explicitly setting an HTTP status. This can lead to an authentication bypass, allowing unauthorized access. Exploitation depends on the use of such a misconfigured custom component.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.1
- <9.0.96
- >10.1.0-M1, <10.1.30
Technical Details
The vulnerability occurs within Apache Tomcat when it is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component. Specifically, if this custom component encounters an error and throws an exception during the authentication process, but fails to explicitly set an HTTP status code indicating an authentication failure, Tomcat's authentication mechanism may not correctly interpret the outcome. Instead of rejecting the authentication attempt, Tomcat might proceed as if authentication was successful, effectively bypassing the authentication process for the current request. This allows an unauthenticated user to gain unauthorized access to protected resources.
What is the Impact of CVE-2024-52316?
Successful exploitation may allow attackers to bypass authentication mechanisms, leading to unauthorized access to sensitive information, arbitrary code execution, or full control over the application.
What is the Exploitability of CVE-2024-52316?
Exploitation requires a very specific configuration of Apache Tomcat: it must be using a custom Jakarta Authentication ServerAuthContext component that is implicitly vulnerable (i.e., throws exceptions without setting an HTTP failure status). The attack would involve authenticating to the Tomcat instance. No specific authentication is required to initiate the attack, as it targets the authentication process itself. Privilege levels are not a direct factor, as the goal is to bypass them. It is a remote vulnerability. The complexity is high, as it relies on a specific, non-standard custom component with a particular fault, meaning it's not broadly exploitable against default or well-configured systems. There are no known Jakarta Authentication components that behave in this vulnerable way, reducing the likelihood of exploitation significantly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| TAM-K592 | Link | CVE-2024-52316 - Apache Tomcat Authentication Bypass Vulnerability |
What are the Available Fixes for CVE-2024-52316?
Available Upgrade Options
- org.apache.tomcat:tomcat-catalina
- <9.0.96 → Upgrade to 9.0.96
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.30 → Upgrade to 10.1.30
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.1 → Upgrade to 11.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-xcpr-7mr4-h4xq
- https://github.com/apache/tomcat/commit/7532f9dc4a8c37ec958f79dc82c4924a6c539223
- https://security.netapp.com/advisory/ntap-20250124-0003
- http://www.openwall.com/lists/oss-security/2024/11/18/2
- https://github.com/apache/tomcat/commit/6d097a66746635df6880fe7662a792156b0eca14
- https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
- https://github.com/apache/tomcat/commit/acc2f01395f895980f5d8a64573fcc1bade13369
- https://security.netapp.com/advisory/ntap-20250124-0003/
- https://nvd.nist.gov/vuln/detail/CVE-2024-52316
- https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
What are Similar Vulnerabilities to CVE-2024-52316?
Similar Vulnerabilities: CVE-2022-26138 , CVE-2022-42796 , CVE-2022-42797 , CVE-2022-45133 , CVE-2023-46580
