Veracode Vulnerability DatabaseVERACODE:19750Authentication Bypass
0.012 Low
EPSS
Percentile
85.3%
Tomcat is vulnerable to authentication bypass vulnerability. This is because, when using pre-produced responses from an OCSP responder, Tomcat Native does not correctly validate the status of certificates. Users with revoked certificates could authenticate when using mutual TLS as the revoked client certificates are not properly identified.
References
mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%[email protected]%3E
www.securityfocus.com/bid/104934
www.securitytracker.com/id/1041507
access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/
access.redhat.com/errata/RHSA-2018:2469
access.redhat.com/errata/RHSA-2018:2470
access.redhat.com/security/updates/classification/#important
issues.jboss.org/browse/JWS-1042
lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E
lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E
lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E
lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E
lists.debian.org/debian-lts-announce/2018/08/msg00023.html
Related
