tomcat-catalina is vulnerable to access restriction bypass. Lack of proper sanitization of user provided parameter or configuration data provided by an administrator accept authentication using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.
bz.apache.org/bugzilla/show_bug.cgi?id=65224
lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
lists.debian.org/debian-lts-announce/2021/08/msg00009.html
security.netapp.com/advisory/ntap-20210827-0007/
tomcat.apache.org/security-10.html
www.debian.org/security/2021/dsa-4952
www.debian.org/security/2021/dsa-4986
www.oracle.com//security-alerts/cpujul2021.html
www.oracle.com/security-alerts/cpujan2022.html
www.oracle.com/security-alerts/cpuoct2021.html