-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
5.3.0, 6.0.1, 6.1.0, 6.0.3, 6.1.1, 6.2.0, 6.1.2, 6.0.4, 6.1.3
-
None
-
9.8
-
Critical
-
CVE-2024-52316
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-
BASM (Broken Authentication & Session Management)
-
Crowd Data Center, Crowd Server
This Critical severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 5.3.0, 6.0.1, 6.1.0, and 6.2.0 of Crowd Data Center and Server.
This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with a CVSS Score of 9.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
- Crowd Data Center and Server 6.0: Upgrade to a release greater than or equal to 6.0.7
- Crowd Data Center and Server 6.1: Upgrade to a release greater than or equal to 6.1.4
- Crowd Data Center and Server 6.2: Upgrade to a release greater than or equal to 6.2.2
See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).
The National Vulnerability Database provides the following description for this vulnerability: Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
[CWD-6335] BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server
Hello Atlassian,
Why is there no fixed version for Crowd LTS 5.3.x? It is not EOL yet and no new LTS has been released.
Thank you.
Regards,
Chakib.
Hi all, Malcolm from Atlassian support here. Please note that this bug report page CWD-6335 for CVE-2024-52316 only covers when we updated Tomcat (to please security scanners that just look at the Tomcat version).
To be clear, in actual fact, Crowd does not use Jakarta authentication, so Crowd is not vulnerable to CVE-2024-52316.
| Resolution | New: Fixed [ 1 ] | |
| Security | Original: Atlassian Staff [ 10750 ] | |
| Status | Original: Draft [ 12872 ] | New: Published [ 12873 ] |
| Summary | Original: org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server | New: BASM (Broken Authentication & Session Management) org.apache.tomcat:tomcat-catalina Dependency in Crowd Data Center and Server |
| Vulnerability Classes | Original: Patch Management [ 18158 ] | New: BASM (Broken Authentication & Session Management) [ 18145 ] |
| Labels | Original: security | New: advisory advisory-to-release dont-import security |
If Crowd isn't vulnerable to this, why is that not mentioned in the Description? Why even say that there are affected versions at all?
I get notifying that you're aware of this particular vulnerability affecting versions of TomCat that some versions of Crowd use, but the second part of that is to mention that Crowd doesn't use the affected components so is unaffected. The way it's worded currently Crowd is actually affected by this specific vulnerability. System Admins shouldn't have to investigate figure this out themselves.