Cyber Resilience

CVE-2024-52316

Critical

Published: 18 November 2024

Published
18 November 2024
Modified
07 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0198 84.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52316 is a critical-severity Unchecked Error Condition (CWE-391) vulnerability in Apache Tomcat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the…

more

authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
11.0.0 · 9.0.0 — 9.0.96 · 10.1.0 — 10.1.31
debian
debian linux
11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-391 CWE-754

Ensures audit logging process failures are checked and trigger defined responses instead of remaining unchecked.

addresses: CWE-391 CWE-754

Testing IR effectiveness identifies and drives fixes for unchecked error conditions that fail to initiate incident handling.

addresses: CWE-391 CWE-754

Mandates ongoing correlation, analysis, and response to monitoring results, reducing unchecked error conditions from control assessments.

addresses: CWE-754

Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.

addresses: CWE-754

Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.

addresses: CWE-391

Policy enforces checking and handling of error conditions as part of incident response processes.

addresses: CWE-391

Formal incident handling procedures enforce checking and acting on error conditions that could indicate security incidents.

addresses: CWE-754

Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.

References