A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. Reference: https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1981545]
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:4863 https://access.redhat.com/errata/RHSA-2021:4863
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.6 on RHEL 7 Red Hat JBoss Web Server 5.6 on RHEL 8 Via RHSA-2021:4861 https://access.redhat.com/errata/RHSA-2021:4861
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-30640
This issue has been addressed in the following products: Red Hat Support for Spring Boot 2.5.10 Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532