Vulnerability Details CVE-2021-30640
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 53.8%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.8
References
- https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
- https://security.gentoo.org/glsa/202208-34
- https://security.netapp.com/advisory/ntap-20210827-0007/
- https://www.debian.org/security/2021/dsa-4952
- https://www.debian.org/security/2021/dsa-4986
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
- https://security.gentoo.org/glsa/202208-34
- https://security.netapp.com/advisory/ntap-20210827-0007/
- https://www.debian.org/security/2021/dsa-4952
- https://www.debian.org/security/2021/dsa-4986
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2021-30640
-
cpe:2.3:a:apache:tomcat:10.0.0
-
cpe:2.3:a:apache:tomcat:10.0.1
-
cpe:2.3:a:apache:tomcat:10.0.2
-
cpe:2.3:a:apache:tomcat:10.0.3
-
cpe:2.3:a:apache:tomcat:10.0.4
-
cpe:2.3:a:apache:tomcat:10.0.5
-
cpe:2.3:a:apache:tomcat:7.0.0
-
cpe:2.3:a:apache:tomcat:7.0.1
-
cpe:2.3:a:apache:tomcat:7.0.10
-
cpe:2.3:a:apache:tomcat:7.0.100
-
cpe:2.3:a:apache:tomcat:7.0.101
-
cpe:2.3:a:apache:tomcat:7.0.102
-
cpe:2.3:a:apache:tomcat:7.0.103
-
cpe:2.3:a:apache:tomcat:7.0.104
-
cpe:2.3:a:apache:tomcat:7.0.105
-
cpe:2.3:a:apache:tomcat:7.0.106
-
cpe:2.3:a:apache:tomcat:7.0.107
-
cpe:2.3:a:apache:tomcat:7.0.108
-
cpe:2.3:a:apache:tomcat:7.0.11
-
cpe:2.3:a:apache:tomcat:7.0.12
-
cpe:2.3:a:apache:tomcat:7.0.13
-
cpe:2.3:a:apache:tomcat:7.0.14
-
cpe:2.3:a:apache:tomcat:7.0.15
-
cpe:2.3:a:apache:tomcat:7.0.16
-
cpe:2.3:a:apache:tomcat:7.0.17
-
cpe:2.3:a:apache:tomcat:7.0.18
-
cpe:2.3:a:apache:tomcat:7.0.19
-
cpe:2.3:a:apache:tomcat:7.0.2
-
cpe:2.3:a:apache:tomcat:7.0.20
-
cpe:2.3:a:apache:tomcat:7.0.21
-
cpe:2.3:a:apache:tomcat:7.0.22
-
cpe:2.3:a:apache:tomcat:7.0.23
-
cpe:2.3:a:apache:tomcat:7.0.24
-
cpe:2.3:a:apache:tomcat:7.0.25
-
cpe:2.3:a:apache:tomcat:7.0.26
-
cpe:2.3:a:apache:tomcat:7.0.27
-
cpe:2.3:a:apache:tomcat:7.0.28
-
cpe:2.3:a:apache:tomcat:7.0.29
-
cpe:2.3:a:apache:tomcat:7.0.3
-
cpe:2.3:a:apache:tomcat:7.0.30
-
cpe:2.3:a:apache:tomcat:7.0.31
-
cpe:2.3:a:apache:tomcat:7.0.32
-
cpe:2.3:a:apache:tomcat:7.0.33
-
cpe:2.3:a:apache:tomcat:7.0.34
-
cpe:2.3:a:apache:tomcat:7.0.35
-
cpe:2.3:a:apache:tomcat:7.0.36
-
cpe:2.3:a:apache:tomcat:7.0.37
-
cpe:2.3:a:apache:tomcat:7.0.38
-
cpe:2.3:a:apache:tomcat:7.0.39
-
cpe:2.3:a:apache:tomcat:7.0.4
-
cpe:2.3:a:apache:tomcat:7.0.40
-
cpe:2.3:a:apache:tomcat:7.0.41
-
cpe:2.3:a:apache:tomcat:7.0.42
-
cpe:2.3:a:apache:tomcat:7.0.43
-
cpe:2.3:a:apache:tomcat:7.0.44
-
cpe:2.3:a:apache:tomcat:7.0.45
-
cpe:2.3:a:apache:tomcat:7.0.46
-
cpe:2.3:a:apache:tomcat:7.0.47
-
cpe:2.3:a:apache:tomcat:7.0.48
-
cpe:2.3:a:apache:tomcat:7.0.49
-
cpe:2.3:a:apache:tomcat:7.0.5
-
cpe:2.3:a:apache:tomcat:7.0.50
-
cpe:2.3:a:apache:tomcat:7.0.51
-
cpe:2.3:a:apache:tomcat:7.0.52
-
cpe:2.3:a:apache:tomcat:7.0.53
-
cpe:2.3:a:apache:tomcat:7.0.54
-
cpe:2.3:a:apache:tomcat:7.0.55
-
cpe:2.3:a:apache:tomcat:7.0.56
-
cpe:2.3:a:apache:tomcat:7.0.57
-
cpe:2.3:a:apache:tomcat:7.0.58
-
cpe:2.3:a:apache:tomcat:7.0.59
-
cpe:2.3:a:apache:tomcat:7.0.6
-
cpe:2.3:a:apache:tomcat:7.0.60
-
cpe:2.3:a:apache:tomcat:7.0.61
-
cpe:2.3:a:apache:tomcat:7.0.62
-
cpe:2.3:a:apache:tomcat:7.0.63
-
cpe:2.3:a:apache:tomcat:7.0.64
-
cpe:2.3:a:apache:tomcat:7.0.65
-
cpe:2.3:a:apache:tomcat:7.0.66
-
cpe:2.3:a:apache:tomcat:7.0.67
-
cpe:2.3:a:apache:tomcat:7.0.68
-
cpe:2.3:a:apache:tomcat:7.0.69
-
cpe:2.3:a:apache:tomcat:7.0.7
-
cpe:2.3:a:apache:tomcat:7.0.70
-
cpe:2.3:a:apache:tomcat:7.0.71
-
cpe:2.3:a:apache:tomcat:7.0.72
-
cpe:2.3:a:apache:tomcat:7.0.73
-
cpe:2.3:a:apache:tomcat:7.0.74
-
cpe:2.3:a:apache:tomcat:7.0.75
-
cpe:2.3:a:apache:tomcat:7.0.76
-
cpe:2.3:a:apache:tomcat:7.0.77
-
cpe:2.3:a:apache:tomcat:7.0.78
-
cpe:2.3:a:apache:tomcat:7.0.79
-
cpe:2.3:a:apache:tomcat:7.0.8
-
cpe:2.3:a:apache:tomcat:7.0.80
-
cpe:2.3:a:apache:tomcat:7.0.81
-
cpe:2.3:a:apache:tomcat:7.0.82
-
cpe:2.3:a:apache:tomcat:7.0.83
-
cpe:2.3:a:apache:tomcat:7.0.84
-
cpe:2.3:a:apache:tomcat:7.0.85
-
cpe:2.3:a:apache:tomcat:7.0.86
-
cpe:2.3:a:apache:tomcat:7.0.87
-
cpe:2.3:a:apache:tomcat:7.0.88
-
cpe:2.3:a:apache:tomcat:7.0.89
-
cpe:2.3:a:apache:tomcat:7.0.9
-
cpe:2.3:a:apache:tomcat:7.0.90
-
cpe:2.3:a:apache:tomcat:7.0.91
-
cpe:2.3:a:apache:tomcat:7.0.92
-
cpe:2.3:a:apache:tomcat:7.0.93
-
cpe:2.3:a:apache:tomcat:7.0.94
-
cpe:2.3:a:apache:tomcat:7.0.95
-
cpe:2.3:a:apache:tomcat:7.0.96
-
cpe:2.3:a:apache:tomcat:7.0.97
-
cpe:2.3:a:apache:tomcat:7.0.98
-
cpe:2.3:a:apache:tomcat:7.0.99
-
cpe:2.3:a:apache:tomcat:8.5.0
-
cpe:2.3:a:apache:tomcat:8.5.1
-
cpe:2.3:a:apache:tomcat:8.5.10
-
cpe:2.3:a:apache:tomcat:8.5.11
-
cpe:2.3:a:apache:tomcat:8.5.12
-
cpe:2.3:a:apache:tomcat:8.5.13
-
cpe:2.3:a:apache:tomcat:8.5.14
-
cpe:2.3:a:apache:tomcat:8.5.15
-
cpe:2.3:a:apache:tomcat:8.5.16
-
cpe:2.3:a:apache:tomcat:8.5.17
-
cpe:2.3:a:apache:tomcat:8.5.18
-
cpe:2.3:a:apache:tomcat:8.5.19
-
cpe:2.3:a:apache:tomcat:8.5.2
-
cpe:2.3:a:apache:tomcat:8.5.20
-
cpe:2.3:a:apache:tomcat:8.5.21
-
cpe:2.3:a:apache:tomcat:8.5.22
-
cpe:2.3:a:apache:tomcat:8.5.23
-
cpe:2.3:a:apache:tomcat:8.5.24
-
cpe:2.3:a:apache:tomcat:8.5.25
-
cpe:2.3:a:apache:tomcat:8.5.26
-
cpe:2.3:a:apache:tomcat:8.5.27
-
cpe:2.3:a:apache:tomcat:8.5.28
-
cpe:2.3:a:apache:tomcat:8.5.29
-
cpe:2.3:a:apache:tomcat:8.5.3
-
cpe:2.3:a:apache:tomcat:8.5.30
-
cpe:2.3:a:apache:tomcat:8.5.31
-
cpe:2.3:a:apache:tomcat:8.5.32
-
cpe:2.3:a:apache:tomcat:8.5.33
-
cpe:2.3:a:apache:tomcat:8.5.34
-
cpe:2.3:a:apache:tomcat:8.5.35
-
cpe:2.3:a:apache:tomcat:8.5.36
-
cpe:2.3:a:apache:tomcat:8.5.37
-
cpe:2.3:a:apache:tomcat:8.5.38
-
cpe:2.3:a:apache:tomcat:8.5.39
-
cpe:2.3:a:apache:tomcat:8.5.4
-
cpe:2.3:a:apache:tomcat:8.5.40
-
cpe:2.3:a:apache:tomcat:8.5.41
-
cpe:2.3:a:apache:tomcat:8.5.42
-
cpe:2.3:a:apache:tomcat:8.5.43
-
cpe:2.3:a:apache:tomcat:8.5.44
-
cpe:2.3:a:apache:tomcat:8.5.45
-
cpe:2.3:a:apache:tomcat:8.5.46
-
cpe:2.3:a:apache:tomcat:8.5.47
-
cpe:2.3:a:apache:tomcat:8.5.48
-
cpe:2.3:a:apache:tomcat:8.5.49
-
cpe:2.3:a:apache:tomcat:8.5.5
-
cpe:2.3:a:apache:tomcat:8.5.50
-
cpe:2.3:a:apache:tomcat:8.5.51
-
cpe:2.3:a:apache:tomcat:8.5.52
-
cpe:2.3:a:apache:tomcat:8.5.53
-
cpe:2.3:a:apache:tomcat:8.5.54
-
cpe:2.3:a:apache:tomcat:8.5.55
-
cpe:2.3:a:apache:tomcat:8.5.56
-
cpe:2.3:a:apache:tomcat:8.5.57
-
cpe:2.3:a:apache:tomcat:8.5.58
-
cpe:2.3:a:apache:tomcat:8.5.59
-
cpe:2.3:a:apache:tomcat:8.5.6
-
cpe:2.3:a:apache:tomcat:8.5.60
-
cpe:2.3:a:apache:tomcat:8.5.61
-
cpe:2.3:a:apache:tomcat:8.5.62
-
cpe:2.3:a:apache:tomcat:8.5.63
-
cpe:2.3:a:apache:tomcat:8.5.64
-
cpe:2.3:a:apache:tomcat:8.5.65
-
cpe:2.3:a:apache:tomcat:8.5.7
-
cpe:2.3:a:apache:tomcat:8.5.8
-
cpe:2.3:a:apache:tomcat:8.5.9
-
cpe:2.3:a:apache:tomcat:9.0.0
-
cpe:2.3:a:apache:tomcat:9.0.1
-
cpe:2.3:a:apache:tomcat:9.0.10
-
cpe:2.3:a:apache:tomcat:9.0.11
-
cpe:2.3:a:apache:tomcat:9.0.12
-
cpe:2.3:a:apache:tomcat:9.0.13
-
cpe:2.3:a:apache:tomcat:9.0.14
-
cpe:2.3:a:apache:tomcat:9.0.15
-
cpe:2.3:a:apache:tomcat:9.0.16
-
cpe:2.3:a:apache:tomcat:9.0.17
-
cpe:2.3:a:apache:tomcat:9.0.18
-
cpe:2.3:a:apache:tomcat:9.0.19
-
cpe:2.3:a:apache:tomcat:9.0.2
-
cpe:2.3:a:apache:tomcat:9.0.20
-
cpe:2.3:a:apache:tomcat:9.0.21
-
cpe:2.3:a:apache:tomcat:9.0.22
-
cpe:2.3:a:apache:tomcat:9.0.23
-
cpe:2.3:a:apache:tomcat:9.0.24
-
cpe:2.3:a:apache:tomcat:9.0.25
-
cpe:2.3:a:apache:tomcat:9.0.26
-
cpe:2.3:a:apache:tomcat:9.0.27
-
cpe:2.3:a:apache:tomcat:9.0.28
-
cpe:2.3:a:apache:tomcat:9.0.29
-
cpe:2.3:a:apache:tomcat:9.0.3
-
cpe:2.3:a:apache:tomcat:9.0.30
-
cpe:2.3:a:apache:tomcat:9.0.31
-
cpe:2.3:a:apache:tomcat:9.0.32
-
cpe:2.3:a:apache:tomcat:9.0.33
-
cpe:2.3:a:apache:tomcat:9.0.34
-
cpe:2.3:a:apache:tomcat:9.0.35
-
cpe:2.3:a:apache:tomcat:9.0.35-3.39.1
-
cpe:2.3:a:apache:tomcat:9.0.35-3.57.3
-
cpe:2.3:a:apache:tomcat:9.0.36
-
cpe:2.3:a:apache:tomcat:9.0.37
-
cpe:2.3:a:apache:tomcat:9.0.38
-
cpe:2.3:a:apache:tomcat:9.0.39
-
cpe:2.3:a:apache:tomcat:9.0.4
-
cpe:2.3:a:apache:tomcat:9.0.40
-
cpe:2.3:a:apache:tomcat:9.0.41
-
cpe:2.3:a:apache:tomcat:9.0.42
-
cpe:2.3:a:apache:tomcat:9.0.43
-
cpe:2.3:a:apache:tomcat:9.0.44
-
cpe:2.3:a:apache:tomcat:9.0.45
-
cpe:2.3:a:apache:tomcat:9.0.5
-
cpe:2.3:a:apache:tomcat:9.0.6
-
cpe:2.3:a:apache:tomcat:9.0.7
-
cpe:2.3:a:apache:tomcat:9.0.8
-
cpe:2.3:a:apache:tomcat:9.0.9
-
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.5
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.5.0
-
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0
-
cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0
-
cpe:2.3:a:oracle:tekelec_platform_distribution:7.4.0
-
cpe:2.3:a:oracle:tekelec_platform_distribution:7.7.1
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:debian:debian_linux:9.0