Web Servers : Apache Tomcat JNDI Realm Authentication Weakness Vulnerability (Jul 2021)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.146265

Kategorie: Web Servers

Titel: Apache Tomcat JNDI Realm Authentication Weakness Vulnerability (Jul 2021) - Windows

Zusammenfassung: Apache Tomcat is prone to an authentication weakness; vulnerability in the JNDI Realm.

Beschreibung: Summary:
Apache Tomcat is prone to an authentication weakness
vulnerability in the JNDI Realm.

Vulnerability Insight:
Queries made by the JNDI Realm do not always correctly escape
parameters. Parameter values could be sourced from user provided data (eg user names) as well as
configuration data provided by an administrator. In limited circumstances it is possible for
users to authenticate using variations of their user name and/or to bypass some of the protection
provided by the LockOut Realm.

Affected Software/OS:
Apache Tomcat 7.0.x through 7.0.108, 8.5.x through 8.5.65,
9.0.0.M1 through 9.0.45 and 10.0.0-M1 through 10.0.5.

Solution:
Update to version 7.0.109, 8.5.66, 9.0.46, 10.0.6 or later.

CVSS Score:
5.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2021-30640
https://security.netapp.com/advisory/ntap-20210827-0007/
Debian Security Information: DSA-4952 (Google Search)
https://www.debian.org/security/2021/dsa-4952
Debian Security Information: DSA-4986 (Google Search)
https://www.debian.org/security/2021/dsa-4986
https://security.gentoo.org/glsa/202208-34
https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html

Copyright Copyright (C) 2021 Greenbone Networks GmbH

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.146265
Kategorie:	Web Servers
Titel:	Apache Tomcat JNDI Realm Authentication Weakness Vulnerability (Jul 2021) - Windows
Zusammenfassung:	Apache Tomcat is prone to an authentication weakness; vulnerability in the JNDI Realm.
Beschreibung:	Summary: Apache Tomcat is prone to an authentication weakness vulnerability in the JNDI Realm. Vulnerability Insight: Queries made by the JNDI Realm do not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it is possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. Affected Software/OS: Apache Tomcat 7.0.x through 7.0.108, 8.5.x through 8.5.65, 9.0.0.M1 through 9.0.45 and 10.0.0-M1 through 10.0.5. Solution: Update to version 7.0.109, 8.5.66, 9.0.46, 10.0.6 or later. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2021-30640 https://security.netapp.com/advisory/ntap-20210827-0007/ Debian Security Information: DSA-4952 (Google Search) https://www.debian.org/security/2021/dsa-4952 Debian Security Information: DSA-4986 (Google Search) https://www.debian.org/security/2021/dsa-4986 https://security.gentoo.org/glsa/202208-34 https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
Copyright	Copyright (C) 2021 Greenbone Networks GmbH