Path to dependency file: /services/elastic_ip_manager/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
CVE-2024-52316 - Critical Severity Vulnerability
tomcat-embed-core-9.0.33.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /services/elastic_ip_manager/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar,/home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.33/tomcat-embed-core-9.0.33.jar
Dependency Hierarchy: - spring-boot-starter-web-2.2.6.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.2.6.RELEASE.jar - :x: **tomcat-embed-core-9.0.33.jar** (Vulnerable Library)
tomcat-embed-core-9.0.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /services/route_manager/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.31/tomcat-embed-core-9.0.31.jar
Dependency Hierarchy: - spring-boot-starter-web-2.2.5.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.2.5.RELEASE.jar - :x: **tomcat-embed-core-9.0.31.jar** (Vulnerable Library)
tomcat-embed-core-9.0.21.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /services/vpc_manager/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.21/tomcat-embed-core-9.0.21.jar
Dependency Hierarchy: - spring-boot-starter-web-2.1.6.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.1.6.RELEASE.jar - :x: **tomcat-embed-core-9.0.21.jar** (Vulnerable Library)
tomcat-embed-core-9.0.36.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /services/network_acl_manager/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.36/tomcat-embed-core-9.0.36.jar
Dependency Hierarchy: - spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.3.1.RELEASE.jar - :x: **tomcat-embed-core-9.0.36.jar** (Vulnerable Library)
tomcat-embed-core-9.0.35.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /services/security_group_manager/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.35/tomcat-embed-core-9.0.35.jar
Dependency Hierarchy: - spring-boot-starter-web-2.3.0.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-2.3.0.RELEASE.jar - :x: **tomcat-embed-core-9.0.35.jar** (Vulnerable Library)
Found in HEAD commit: 3c4e28556738e020da91fd03c3aaa5d9a7c1cfed
Found in base branch: master
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52316
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.