CVE Tools

CVE-2024-52316

Apache Tomcat: Authentication bypass when using Jakarta Authentication API

Published: Nov 18, 2024Updated: Nov 7, 2025 Sources: CVE List NVD GHSA BDUCWE-391

9.8CVSSCRITICAL

No Known Exploits

Patch Available

Description

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:NPrivileges Required

None

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:HConfidentiality

High

I:HIntegrity

High

A:HAvailability

High

Open in CVSS calculator →

Weaknesses

CWE-391 CWE-754

Affected Products

On-premWeb App

Networking Infrastructure / load-balancer-proxy

debian linux debian

On-premOS

Operating Systems / linux-distro

Apache Tomcat Apache Software Foundation

On-premWeb App

Networking Infrastructure / load-balancer-proxy

РЕД ОС ООО «Ред Софт»

On-premOS

Operating Systems / linux-distro

Альт 8 СП АО «ИВК»

On-premOS

Operating Systems / linux-distro

apacheoss-projectUSWeb & CMS Pluginsaka apache http server, apache httpd

debianoss-projectGBOperating Systemsaka debian gnu/linux

apache software foundationoss-projectUSWeb & CMS Pluginsaka apache foundation

ооо «ред софт»commercialRUOperating Systemsaka red soft

ао «ивк»commercialRUOperating Systemsaka ivk

and 5 more affected products View all →

Exploitability

Official Patch Available

References

https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928

lists.apache.org

http://www.openwall.com/lists/oss-security/2024/11/18/2

https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html

lists.debian.org

and 14 more references View all →

Timeline

Published

Nov 18, 2024

Last Updated

Nov 7, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-52316 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows