Test ID:	1.3.6.1.4.1.25623.1.0.146264
Category:	Web Servers
Title:	Apache Tomcat JNDI Realm Authentication Weakness Vulnerability (Jul 2021) - Linux
Summary:	Apache Tomcat is prone to an authentication weakness; vulnerability in the JNDI Realm.
Description:	Summary: Apache Tomcat is prone to an authentication weakness vulnerability in the JNDI Realm. Vulnerability Insight: Queries made by the JNDI Realm do not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator. In limited circumstances it is possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. Affected Software/OS: Apache Tomcat 7.0.x through 7.0.108, 8.5.x through 8.5.65, 9.0.0.M1 through 9.0.45 and 10.0.0-M1 through 10.0.5. Solution: Update to version 7.0.109, 8.5.66, 9.0.46, 10.0.6 or later. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-30640 https://security.netapp.com/advisory/ntap-20210827-0007/ Debian Security Information: DSA-4952 (Google Search) https://www.debian.org/security/2021/dsa-4952 Debian Security Information: DSA-4986 (Google Search) https://www.debian.org/security/2021/dsa-4986 https://security.gentoo.org/glsa/202208-34 https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuoct2021.html https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
Copyright	Copyright (C) 2021 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.