Lucene search

K
nvd[email protected]NVD:CVE-2021-30640
HistoryJul 12, 2021 - 3:15 p.m.

CVE-2021-30640

2021-07-1215:15:08
CWE-116
web.nvd.nist.gov
10
vulnerability
jndi realm
apache tomcat
user authentication
lockout realm

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS

0.002

Percentile

58.4%

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Affected configurations

Nvd
Node
apachetomcatRange7.0.07.0.109
OR
apachetomcatRange8.5.08.5.66
OR
apachetomcatRange9.0.09.0.46
OR
apachetomcatRange10.0.010.0.6
Node
oraclecommunications_cloud_native_core_policyMatch1.14.0
OR
oraclecommunications_diameter_signaling_routerRange8.0.08.5.0
OR
oraclecommunications_pricing_design_centerMatch12.0.0.3.0
OR
oraclehospitality_cruise_shipboard_property_management_systemMatch20.1.0
OR
oracletekelec_platform_distributionRange7.4.07.7.1
Node
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch10.0
OR
debiandebian_linuxMatch11.0
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
oraclecommunications_cloud_native_core_policy1.14.0cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
oraclecommunications_diameter_signaling_router*cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
oraclecommunications_pricing_design_center12.0.0.3.0cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
oraclehospitality_cruise_shipboard_property_management_system20.1.0cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*
oracletekelec_platform_distribution*cpe:2.3:a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS

0.002

Percentile

58.4%