CVE-2024-52316 Apache Tomcat - Authentication Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M26 Apache Tomcat 10.1.0-M1 to 10.1.30 Apache Tomcat 9.0.0-M1 to 9.0.95 Description: If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. Mitigation: Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 11.0.0 or later Upgrade to Apache Tomcat 10.1.31 or later Upgrade to Apache Tomcat 9.0.96 or later Credit: This vulnerability identified by the Tomcat security team History: 2024-11-18 Original advisory References: 1. 2. 3.