{"containers": {"cna": {"affected": [{"product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Tomcat 10 10.0.0-M1 to 10.0.5"}, {"status": "affected", "version": "Apache Tomcat 9 9.0.0.M1 to 9.0.45"}, {"status": "affected", "version": "Apache Tomcat 8.5 8.5.0 to 8.5.65"}, {"status": "affected", "version": "Apache Tomcat 7 7.0.0 to 7.0.108"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65."}], "problemTypes": [{"descriptions": [{"description": "Authentication weaknees", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-21T04:07:59", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[debian-lts-announce] 20210805 [SECURITY] [DLA 2733-1] tomcat8 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"}, {"name": "DSA-4952", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4952"}, {"name": "DSA-4986", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4986"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "GLSA-202208-34", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-34"}], "source": {"discovery": "UNKNOWN"}, "title": "Auth weakness in JNDIRealm", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-30640", "STATE": "PUBLIC", "TITLE": "Auth weakness in JNDIRealm"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Tomcat", "version": {"version_data": [{"version_affected": "=", "version_name": "Apache Tomcat 10", "version_value": "10.0.0-M1 to 10.0.5"}, {"version_affected": "=", "version_name": "Apache Tomcat 9", "version_value": "9.0.0.M1 to 9.0.45"}, {"version_affected": "=", "version_name": "Apache Tomcat 8.5", "version_value": "8.5.0 to 8.5.65"}, {"version_affected": "=", "version_name": "Apache Tomcat 7", "version_value": "7.0.0 to 7.0.108"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Authentication weaknees"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[debian-lts-announce] 20210805 [SECURITY] [DLA 2733-1] tomcat8 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"}, {"name": "DSA-4952", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4952"}, {"name": "DSA-4986", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4986"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210827-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "GLSA-202208-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-34"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:40:31.832Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"name": "[debian-lts-announce] 20210805 [SECURITY] [DLA 2733-1] tomcat8 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"}, {"name": "DSA-4952", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4952"}, {"name": "DSA-4986", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4986"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "GLSA-202208-34", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-34"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-30640", "datePublished": "2021-07-12T14:55:13", "dateReserved": "2021-04-13T00:00:00", "dateUpdated": "2024-08-03T22:40:31.832Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2BA16F9-F348-4796-B5A1-A1CC3CC20926", "versionEndExcluding": "7.0.109", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "E609F611-7273-4E5E-8EE1-99804D01AFCB", "versionEndExcluding": "8.5.66", "versionStartIncluding": "8.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFD5BEFB-48F5-4CC6-8644-1C38106A0F6F", "versionEndExcluding": "9.0.46", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CC917F9-341E-4064-B101-5382944BD79A", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", "matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "matchCriteriaId": "C88D46AF-459D-4917-9403-0F63FEC83512", "versionEndIncluding": "8.5.0", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7B49D71-6A31-497A-B6A9-06E84F086E7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "05F5B430-8BA1-4865-93B5-0DE89F424B53", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:*", "matchCriteriaId": "26F05F85-7458-4C8F-B93F-93C92E506A40", "versionEndIncluding": "7.7.1", "versionStartIncluding": "7.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65."}, {"lang": "es", "value": "Una vulnerabilidad en el \u00e1mbito JNDI de Apache Tomcat permite a un atacante autenticarse usando variaciones de un nombre de usuario v\u00e1lido y/o omitir parte de la protecci\u00f3n proporcionada por el \u00e1mbito LockOut. Este problema afecta a Apache Tomcat versiones 10.0.0-M1 hasta 10.0.5; versiones 9.0.0.M1 hasta 9.0.45; versiones 8.5.0 hasta 8.5.65"}], "id": "CVE-2021-30640", "lastModified": "2022-10-27T01:08:51.290", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-12T15:15:08.367", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-34"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210827-0007/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4952"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4986"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5532", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "tomcat", "product_name": "Red Hat Fuse 7.11", "release_date": "2022-07-07T00:00:00Z"}, {"advisory": "RHSA-2021:4863", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package": "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package": "jws5-tomcat-native-0:1.2.30-3.redhat_3.el7jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package": "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package": "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package": "jws5-tomcat-native-0:1.2.30-3.redhat_3.el8jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2021:4861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package": "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date": "2021-11-30T00:00:00Z"}, {"advisory": "RHSA-2022:1179", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "tomcat", "product_name": "Red Hat Support for Spring Boot 2.5.10", "release_date": "2022-04-12T00:00:00Z"}], "bugzilla": {"description": "tomcat: JNDI realm authentication weakness", "id": "1981544", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981544"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-287", "details": ["A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65."], "name": "CVE-2021-30640", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-30640\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-30640"], "statement": "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "threat_severity": "Low", "upstream_fix": "tomcat 10.0.6, tomcat 9.0.46, tomcat 8.5.66, tomcat 7.0.109"}