Bug 2326972 (CVE-2024-52316)

Summary: CVE-2024-52316 tomcat: Apache Tomcat: Authentication bypass when using Jakarta Authentication API
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aakkiang, aganbat, ahumbe, aogburn, cfu, csutherl, dsirrine, edewata, fdelehay, gkimetto, jclere, jmagne, jwright, mfargett, mharmsen, pjindal, plodge, prisingh, skhandel, szappis, taherrin, teagle, tosorio, vrajput
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat when configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component. This vulnerability allows authentication bypass via improperly handled exceptions during the authentication process.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-11-18 12:01:21 UTC 
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Comment 4 errata-xmlrpc 2025-04-07 17:01:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2025:3609 https://access.redhat.com/errata/RHSA-2025:3609
Comment 5 errata-xmlrpc 2025-04-07 17:01:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.1 on RHEL 8
  Red Hat JBoss Web Server 6.1 on RHEL 9

Via RHSA-2025:3608 https://access.redhat.com/errata/RHSA-2025:3608
Comment 7 errata-xmlrpc 2025-05-13 15:59:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7497 https://access.redhat.com/errata/RHSA-2025:7497