tomcat-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness
Date Mon, 12 Jul 2021 13:04:12 GMT
CVE-2021-30640 JNDI Realm Authentication Weakness

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.5
Apache Tomcat 9.0.0.M1 to 9.0.45
Apache Tomcat 8.5.0 to 8.5.65
Apache Tomcat 7.0.0 to 7.0.108

Description:
Queries made by the JNDI Realm did not always correctly escape 
parameters. Parameter values could be sourced from user provided data 
(eg user names) as well as configuration data provided by an administrator.
In limited circumstances it was possible for users to authenticate using 
variations of their user name and/or to bypass some of the protection 
provided by the LockOut Realm.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.6 or later
- Upgrade to Apache Tomcat 9.0.46 or later
- Upgrade to Apache Tomcat 8.5.66 or later
- Upgrade to Apache Tomcat 7.0.109 or later

History:
2021-07-12 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html





Mime
View raw message