[SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

Mark Thomas Mon, 12 Jul 2021 06:27:25 -0700

CVE-2021-30640 JNDI Realm Authentication Weakness

Severity: Low


Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.5
Apache Tomcat 9.0.0.M1 to 9.0.45
Apache Tomcat 8.5.0 to 8.5.65
Apache Tomcat 7.0.0 to 7.0.108

Description:

Queries made by the JNDI Realm did not always correctly escapeparameters. Parameter values could be sourced from user provided data(eg user names) as well as configuration data provided by an administrator.In limited circumstances it was possible for users to authenticate usingvariations of their user name and/or to bypass some of the protectionprovided by the LockOut Realm.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.6 or later
- Upgrade to Apache Tomcat 9.0.46 or later
- Upgrade to Apache Tomcat 8.5.66 or later
- Upgrade to Apache Tomcat 7.0.109 or later

History:
2021-07-12 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html

[SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

Reply via email to