{"id":"CVE-2021-30640","details":"A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.","aliases":["BIT-tomcat-2021-30640","GHSA-36qh-35cm-5w2w"],"modified":"2026-03-27T08:59:26.170931238Z","published":"2021-07-12T15:15:08.367Z","related":["MGASA-2021-0485","SUSE-SU-2021:3602-1","SUSE-SU-2021:3669-1","SUSE-SU-2021:3670-1","SUSE-SU-2021:3672-1","SUSE-SU-2026:1058-1","openSUSE-SU-2021:1490-1","openSUSE-SU-2021:3672-1","openSUSE-SU-2024:11618-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-34"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210827-0007/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4952"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4986"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"fixed":"37ae42a2996911b9ba6b88e7b0828f855b9d38f6"},{"introduced":"4c8b650437e2464c1c31c6598a263b3805b7a81f"},{"fixed":"f725f57f195de035a5cbc6602a1f7a3ad43ee5b5"},{"introduced":"e37b977db6f47e4380ad67114a49e8568951c953"},{"fixed":"12afa2cd11ffa9522cd98acc228ecb1bad6b8006"},{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"fixed":"2cdef2c0241cdf70b5edd88d3733a52e6b675047"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-30640.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"}]}