Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

The version of Solarwinds Web Help Desk installed on the remote host is prior to 12.8.4. It is, therefore, affected by multiple vulnerabilities as referenced in the 12.8.4 release notes.

  - Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does     not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as     demonstrated by nesting of FORM elements. (CVE-2020-26870)

  - SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires     the software be installed on Linux and configured to use non-default development/test mode making exposure     to the vulnerability very limited. (CVE-2024-45709)

  - DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been     discovered that malicious HTML using special nesting techniques can bypass the depth checking added to     DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.
    This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed     in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds     for this vulnerability. (CVE-2024-45801)

  - DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was     vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. (CVE-2024-47875)

  - DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was     vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. (CVE-2024-48910)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4106-1 advisory.

    - Update to Tomcat 9.0.97
      * Fixed CVEs:
        + CVE-2024-52316: If the Jakarta Authentication fails with an exception,           set a 500 status (bsc#1233434)
      * Catalina         + Add: Add support for the new Servlet API method           HttpServletResponse.sendEarlyHints(). (markt)         + Add: 55470: Add debug logging that reports the class path when a           ClassNotFoundException occurs in the digester or the web application           class loader. Based on a patch by Ralf Hauser. (markt)         + Update: 69374: Properly separate between table header and body in           DefaultServlet's listing. (michaelo)         + Update: 69373: Make DefaultServlet's HTML listing file last modified           rendering better (flexible). (michaelo)         + Update: Improve HTML output of DefaultServlet. (michaelo)         + Code: Refactor RateLimitFilter to use FilterBase as the base class. The           primary advantage for doing this is less code to process init-param           values. (markt)         + Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
          (michaelo)         + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped           requests. (remm)         + Fix: Add missing WebDAV Lock-Token header in the response when locking           a folder. (remm)         + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)         + Fix: Fix regression in WebDAV when attempting to unlock a collection.
          (remm)         + Fix: Verify that destination is not locked for a WebDAV copy operation.
          (remm)         + Fix: Send 415 response to WebDAV MKCOL operations that include a           request body since this is optional and unsupported. (remm)         + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)         + Fix: Do not allow a new WebDAV lock on a child resource if a parent           collection is locked (RFC 4918 section 6.1). (remm)         + Fix: WebDAV Delete should remove any existing lock on successfully           deleted resources. (remm)         + Update: Remove WebDAV lock null support in accordance with RFC 4918           section 7.3 and annex D. Instead, a lock on a non-existing resource           will create an empty file locked with a regular lock. (remm)         + Update: Rewrite implementation of WebDAV shared locks to comply with           RFC 4918. (remm)         + Update: Implement WebDAV If header using code from the Apache Jackrabbit           project. (remm)         + Add: Add PropertyStore interface in the WebDAV Servlet, to allow           implementation of dead properties storage. The store used can be           configured using the 'propertyStore' init parameter of the WebDAV           servlet. A simple non-persistent implementation is used if no custom           store is configured. (remm)         + Update: Implement WebDAV PROPPATCH method using the newly added           PropertyStore. (remm)         + Fix: Cache not found results when searching for web application class           loader resources. This addresses performance problems caused by           components such as java.sql.DriverManager which, in some circumstances,           will search for the same class repeatedly. In a large web application           this can cause performance problems. The size of the cache can be           controlled via the new notFoundClassResourceCacheSize on the           StandardContext. (markt)         + Fix: Stop after INITIALIZED state should be a noop since it is possible           for subcomponents to be in FAILED after init. (remm)         + Fix: Fix incorrect web resource cache size calculations when there are           concurrent PUT and DELETE requests for the same resource. (markt)         + Add: Add debug logging for the web resource cache so the current size           can be tracked as resources are added and removed. (markt)         + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens           with urn:uuid: as recommended by RFC 4918, and remove secret init           parameter. (remm)         + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the           same path caused corruption of the FileResource where some of the           fields were set as if the file exists and some as set as if it does           not. This resulted in inconsistent metadata. (markt)         + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on           GET and HEAD requests. Also skip requests where the application has set           Cache-Control: no-store. (markt)         + Fix: 69419: Improve the performance of ServletRequest.getAttribute()           when there are multiple levels of nested includes. Based on a patch           provided by John Engebretson. (markt)         + Add: All applications to send an early hints informational response by           calling HttpServletResponse.sendError() with a status code of 103.
          (schultz)         + Fix: Ensure that the Jakarta Authentication CallbackHandler only           creates one GenericPrincipal in the Subject. (markt)         + Fix: If the Jakarta Authentication process fails with an Exception,           explicitly set the HTTP response status to 500 as the ServerAuthContext           may not have set it. (markt)         + Fix: When persisting the Jakarta Authentication provider configuration,           create any necessary parent directories that don't already exist.
          (markt)         + Fix: Correct the logic used to detect errors when deleting temporary           files associated with persisting the Jakarta Authentication provider           configuration. (markt)         + Fix: When processing Jakarta Authentication callbacks, don't overwrite           a Principal obtained from the PasswordValidationCallback with null if           the CallerPrincipalCallback does not provide a Principal. (markt)         + Fix: Avoid store config backup loss when storing one configuration more           than once per second. (remm)         + Fix: 69359: WebdavServlet duplicates getRelativePath() method from           super class with incorrect Javadoc. (michaelo)         + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and           DefaultServlet. (michaelo)         + Fix: Make WebdavServlet properly return the Allow header when deletion           of a resource is not allowed. (michaelo)         + Fix: Add log warning if non wildcard mappings are used with the           WebdavServlet. (remm)         + Fix: 69361: Ensure that the order of entries in a multi-status response           to a WebDAV is consistent with the order in which resources were           processed. (markt)         + Fix: 69362: Provide a better multi-status response when deleting a           collection via WebDAV fails. Empty directories that cannot be deleted           will now be included in the response. (markt)         + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to           ensure that the correct path is used when the WebDAV servlet is mounted           at a sub-path within the web application. (markt)         + Fix: Improve performance of ApplicationHttpRequest.parseParameters().
          Based on sample code and test cases provided by John Engebretson.
          (markt)         + Add: Add support for RFC 8297 (Early Hints). Applications can use           this feature by casting the HttpServletResponse to           org.apache.catalina.connector.Reponse and then calling the method           void sendEarlyHints(). This method will be added to the Servlet API           (removing the need for the cast) in Servlet 6.2 onwards. (markt)         + Fix: 69214: Do not reject a CORS request that uses POST but does not           include a content-type header. Tomcat now correctly processes this as           a simple CORS request. Based on a patch suggested by thebluemountain.
          (markt)         + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather           than Subject.doAs() when available. (markt)
      * Coyote         + Fix: Return null SSL session id on zero length byte array returned from           the SSL implementation. (remm)         + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)         + Fix: Create the HttpParser in Http11Processor if it is not present on           the AbstractHttp11Protocol to provide better lifecycle robustness for           regular HTTP/1.1. The new behavior was introduced on a previous           refactoring to improve HTTP/2 performance. (remm)         + Fix: OpenSSLContext will now throw a KeyManagementException if something           is known to have gone wrong in the init method, which is the behavior           documented by javax.net.ssl.SSLContext.init. This makes error handling           more consistent. (remm)         + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to           generate Date headers for HTTP responses) generates the correct string           for the given input. Prior to this change, the output may have been           wrong by one second in some cases. Pull request #751 provided by Chenjp.
          (markt)         + Add: Add server and serverRemoveAppProvidedValues to the list of           attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector           it is nested within. (markt)         + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by           destroying SSLContext objects through GC after APR has been terminated.
          (remm)         + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer           fields no longer need to be received before the headers of the           subsequent stream nor are trailer fields for an in-progress stream           swallowed if the Connector is paused before the trailer fields are           received. (markt)         + Fix: Ensure the request and response are not recycled too soon for an           HTTP/2 stream when a stream level error is detected during the processing           of incoming HTTP/2 frames. This could lead to incorrect processing times           appearing in the access log. (markt)         + Fix: Fix 69320, a regression in the fix for 69302 that meant the           HTTP/2 processing was likely to be broken for all clients once any           client sent an HTTP/2 reset frame. (markt)         + Fix: Correct a regression in the fix for non-blocking reads of chunked           request bodies that caused InputStream.available() to return a non-zero           value when there was no data to read. In some circumstances this could           cause a blocking read to block waiting for more data rather than return           the data it had already received. (markt)         + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor.
          The default behaviour is unchanged. (markt)         + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving           one from the client when using the OpenSSLImplementation. (markt)         + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing           response headers to the access log. Based on a patch and test case           provided by hypnoce. (markt)         + Fix: 69302: If an HTTP/2 client resets a stream before the request body is           fully written, ensure that any ReadListener is notified via a call to           ReadListener.onErrror(). (markt)         + Fix: Correct regressions in the refactoring that added recycling of the           coyote request and response to the HTTP/2 processing. (markt)         + Add: Add OpenSSL integration using the FFM API rather than Tomcat Native.
          OpenSSL support may be enabled by adding the           org.apache.catalina.core.OpenSSLLifecycleListener listener on the           Server element when using Java 22 or later. (remm)         + Fix: Ensure that HTTP/2 stream input buffers are only created when there           is a request body to be read. (markt)         + Code: Refactor creation of HttpParser instances from the Processor level           to the Protocol level since the parser configuration depends on the           protocol and the parser is, otherwise, stateless. (markt)         + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal           request and response processing objects by default. This behaviour can           be controlled via the new discardRequestsAndResponses attribute on the           HTTP/2 upgrade protocol. (markt)
      * Jasper         + Fix: Add back tag release method as deprecated in the runtime for           compatibility with old generated code. (remm)         + Fix: 69399: Fix regression caused by the improvement 69333 which caused           the tag release to be called when using tag pooling, and to be skipped           when not using it. Patch submitted by Michal Sobkiewicz. (remm)         + Fix: 69381: Improve method lookup performance in expression language.
          When the required method has no arguments there is no need to consider           casting or coercion and the method lookup process can be simplified.
          Based on pull request #770 by John Engebretson.
        + Fix: 69382: Improve the performance of the JSP include action by           re-using results of relatively expensive method calls in the generated           code rather than repeating them. Patch provided by John Engebretson.
          (markt)         + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl.
          Based on a suggestion by John Engebretson. (markt)         + Fix: 69406: When using StringInterpreterEnum, do not throw an           IllegalArgumentException when an invalid Enum is encountered. Instead,           resolve the value at runtime. Patch provided by John Engebretson.
          (markt)         + Fix: 69429: Optimise EL evaluation of method parameters for methods           that do not accept any parameters. Patch provided by John Engebretson.
          (markt)         + Fix: 69333: Remove unnecessary code from generated JSPs. (markt)         + Fix: 69338: Improve the performance of processing expressions that           include AND or OR operations with more than two operands and expressions           that use not empty. (markt)         + Fix: 69348: Reduce memory consumption in ELContext by using lazy           initialization for the data structure used to track lambda arguments.
          (markt)         + Fix: Switch the TldScanner back to logging detailed scan results at debug           level rather than trace level. (markt)
      * Web applications         + Fix: The manager webapp will now be able to access certificates again           when OpenSSL is used. (remm)         + Fix: Documentation. Align the logging configuration documentation with           the current defaults. (markt)
      * WebSocket         + Fix: If a blocking message write exceeds the timeout, don't attempt the           write again before throwing the exception. (markt)         + Fix: An EncodeException being thrown during a message write should not           automatically cause the connection to close. The application should           handle the exception and make the decision whether or not to close the           connection. (markt)
      * jdbc-pool         + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions           executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException           rather than the application seeing the original SQLException. Fixed by           pull request #744 provided by Michael Clarke. (markt)         + Fix: 69279: Correct a regression in the fix for 69206 that meant that           methods that previously returned a null ResultSet were returning a proxy           with a null delegate. Fixed by pull request #745 provided by Huub de Beer.
          (markt)         + Fix: 69206: Ensure statements returned from Statement methods           executeQuery(), getResultSet() and getGeneratedKeys() are correctly           wrapped before being returned to the caller. Based on pull request           #742 provided by Michael Clarke.
      * Other         + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing.
          (markt)         + Update: Update Byte Buddy to 1.15.10. (markt)         + Update: Update CheckStyle to 10.20.0. (markt)         + Add: Improvements to German translations. (remm)         + Add: Improvements to French translations. (remm)         + Add: Improvements to Japanese translations by tak7iji. (markt)         + Add: Improvements to Chinese translations by Ch_jp. (markt)         + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default.
          (markt)         + Fix: Change the default log handler level to ALL so log messages are           not dropped by default if a logger is configured to use trace (FINEST)           level logging. (markt)         + Update: Update Hamcrest to 3.0. (markt)         + Update: Update EasyMock to 5.4.0. (markt)         + Update: Update Byte Buddy to 1.15.0. (markt)         + Update: Update CheckStyle to 10.18.0. (markt)         + Update: Update the internal fork of Apache Commons BCEL to 6.10.0.
          (markt)         + Add: Improvements to Spanish translations by Fernando. (markt)         + Add: Improvements to French translations. (remm)         + Add: Improvements to Japanese translations by tak7iji. (markt)         + Fix: Fix packaging regression with missing osgi information following           addition of the test-only build target. (remm)         + Update: Update Tomcat Native to 1.3.1. (markt)         + Update: Update Byte Buddy to 1.14.18. (markt)         + Add: Improvements to French translations. (remm)         + Add: Improvements to Japanese translations by tak7iji. (markt)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2024:4075-1 advisory.

    - CVE-2024-52316: Fixed an authentication bypass when using Jakarta Authentication API (bsc#1233434).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host 9.0.0-M1 to 9.0.95, 10.1.0-M1 to 10.1.30 or 11.0.0-M1 to 11.0.0-M26. It is, therefore, affected by multiple vulnerabilities :

 - If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process. (CVE-2024-52316)

 - An incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. (CVE-2024-52317)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.0. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.0_security-11 advisory.

  - Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request     and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This     issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-2024-52317)

  - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta     Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the     authentication process without explicitly setting an HTTP status to indicate failure, the authentication     may not fail, allowing the user to bypass the authentication process. There are no known Jakarta     Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1     through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to     upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. (CVE-2024-52316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.31. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.31_security-10 advisory.

  - Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request     and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This     issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-2024-52317)

  - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta     Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the     authentication process without explicitly setting an HTTP status to indicate failure, the authentication     may not fail, allowing the user to bypass the authentication process. There are no known Jakarta     Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1     through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to     upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. (CVE-2024-52316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.96. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.96_security-9 advisory.

  - Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request     and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This     issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-2024-52317)

  - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta     Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the     authentication process without explicitly setting an HTTP status to indicate failure, the authentication     may not fail, allowing the user to bypass the authentication process. There are no known Jakarta     Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1     through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to     upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. (CVE-2024-52316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
213005	SolarWinds Web Help Desk < 12.8.4 Multiple Vulnerabilities	Nessus	CGI abuses	medium
212695	SUSE SLES15 / openSUSE 15 Security Update : tomcat10 (SUSE-SU-2024:4105-1)	Nessus	SuSE Local Security Checks	critical
212591	SUSE SLES15 / openSUSE 15 Security Update : tomcat (SUSE-SU-2024:4106-1)	Nessus	SuSE Local Security Checks	critical
212573	SUSE SLES12 Security Update : tomcat (SUSE-SU-2024:4075-1)	Nessus	SuSE Local Security Checks	critical
114511	Apache Tomcat 9.0.0-M1 < 9.0.96 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114510	Apache Tomcat 10.1.0-M1 < 10.1.31 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
114509	Apache Tomcat 11.0.0-M1 < 11.0.0 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
211506	Apache Tomcat 11.0.0.M23 < 11.0.0 multiple vulnerabilities	Nessus	Web Servers	critical
211504	Apache Tomcat 10.1.27 < 10.1.31 multiple vulnerabilities	Nessus	Web Servers	critical
211503	Apache Tomcat 9.0.92 < 9.0.96 multiple vulnerabilities	Nessus	Web Servers	critical

Detections

Analytics

CVE-2024-52316

critical

Tenable Plugins

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical