Conversation
buherator
buherator
CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API
https://seclists.org/oss-sec/2024/q4/103
Sounds pretty esoteric, but I may be wrong:
"If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail"
https://seclists.org/oss-sec/2024/q4/103
Sounds pretty esoteric, but I may be wrong:
"If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail"
0
0
0