SCA: security update for org.apache.tomcat:tomcat-catalina (GHSA-xcpr-7mr4-h4xq)

critical Tenable Cloud Security Plugin ID 420438

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta
Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to indicate failure, the authentication
may not fail, allowing the user to bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1
through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions
were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL
versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96,
which fix the issue. (CVE-2024-52316)

See Also

https://github.com/advisories/GHSA-xcpr-7mr4-h4xq

Plugin Details

Severity: Critical

ID: 420438

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.43

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-52316

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/18/2024

Vulnerability Publication Date: 10/9/2024

Reference Information

CVE: CVE-2024-52316