CVE-2024-52316
CVE-2024-52316 is a critical-severity vulnerability in Apache Tomcat with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-754.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 6% (93rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-3331
- Weakness: CWE-754
- Affected product: Apache Tomcat
- Published:
- Last modified:
Description
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Frequently asked questions
- What is CVE-2024-52316?
- Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
- How severe is CVE-2024-52316?
- CVE-2024-52316 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-52316 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 6% (93rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-52316?
- CVE-2024-52316 primarily affects Apache Tomcat. In total, 28 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-52316?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2024-52316 have an EU (EUVD) identifier?
- Yes. CVE-2024-52316 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3331.
- When was CVE-2024-52316 published?
- CVE-2024-52316 was published on 2024-11-18 and last updated on 2026-06-17.
References
- https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
- http://www.openwall.com/lists/oss-security/2024/11/18/2
- https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
- https://security.netapp.com/advisory/ntap-20250124-0003/
Affected products (28)
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
More vulnerabilities in Apache Tomcat
- CVE-2026-43512 — Critical (CVSS 9.8): DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects…
- CVE-2026-41293 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through…
- CVE-2025-31651 — Critical (CVSS 9.8): Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely…
- CVE-2025-24813 — Critical (CVSS 9.8): Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or…
- CVE-2024-56337 — Critical (CVSS 9.8): Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat:…
- CVE-2024-50379 — Critical (CVSS 9.8): Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE…
All CVEs affecting Apache Tomcat →
Other CWE-754 (Improper Check for Unusual or Exceptional Conditions) vulnerabilities
- CVE-2026-24054 — Critical (CVSS 10.0): Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs)…
- CVE-2021-0211 — Critical (CVSS 10.0): An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing…
- CVE-2026-8091 — Critical (CVSS 9.8): Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150,…
- CVE-2024-7826 — Critical (CVSS 9.8): Improper Check for Unusual or Exceptional Conditions vulnerability in Webroot SecureAnywhere - Web Shield on Windows,…
- CVE-2023-37303 — Critical (CVSS 9.8): An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In certain situations, an attempt to…
- CVE-2017-20166 — Critical (CVSS 9.8): Ecto 2.2.0 lacks a certain protection mechanism associated with the interaction between is_nil and raise.
Browse all CWE-754 (Improper Check for Unusual or Exceptional Conditions) vulnerabilities →