Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

[Web App Scanning] Apache Tomcat Multiple Vulnerabilities

The version of Tomcat installed on the remote host is prior to 11.0.0. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.0_security-11 advisory.

  - Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request     and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This     issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-2024-52317)

  - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta     Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the     authentication process without explicitly setting an HTTP status to indicate failure, the authentication     may not fail, allowing the user to bypass the authentication process. There are no known Jakarta     Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1     through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to     upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. (CVE-2024-52316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.31. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.31_security-10 advisory.

  - Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request     and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This     issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-2024-52317)

  - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta     Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the     authentication process without explicitly setting an HTTP status to indicate failure, the authentication     may not fail, allowing the user to bypass the authentication process. There are no known Jakarta     Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1     through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to     upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. (CVE-2024-52316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.96. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.96_security-9 advisory.

  - Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request     and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This     issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92     through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the     issue. (CVE-2024-52317)

  - Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta     Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the     authentication process without explicitly setting an HTTP status to indicate failure, the authentication     may not fail, allowing the user to bypass the authentication process. There are no known Jakarta     Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1     through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to     upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. (CVE-2024-52316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211506	Apache Tomcat 11.0.0.M23 < 11.0.0 multiple vulnerabilities	Nessus	Web Servers	critical
211504	Apache Tomcat 10.1.27 < 10.1.31 multiple vulnerabilities	Nessus	Web Servers	critical
211503	Apache Tomcat 9.0.92 < 9.0.96 multiple vulnerabilities	Nessus	Web Servers	critical

Detections

Analytics

CVE-2024-52317

medium

Tenable Plugins

Coming Soon

critical

critical

critical