Search for vulnerabilities
Vulnerability details: VCID-9y7r-pxr5-x3e8
Vulnerability ID VCID-9y7r-pxr5-x3e8
Aliases CVE-2021-30640
GHSA-36qh-35cm-5w2w
Summary A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-116 Improper Encoding or Escaping of Output
CWE-287 Improper Authentication
CWE-289 Authentication Bypass by Alternate Name
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30640.json
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
epss 0.00179 https://api.first.org/data/v1/epss?cve=CVE-2021-30640
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-36qh-35cm-5w2w
cvssv3.1 6.5 https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
cvssv3.1 6.5 https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
cvssv2 5.8 https://nvd.nist.gov/vuln/detail/CVE-2021-30640
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-30640
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-30640
cvssv3.1 6.5 https://security.gentoo.org/glsa/202208-34
generic_textual MODERATE https://security.gentoo.org/glsa/202208-34
cvssv3.1 6.5 https://security.netapp.com/advisory/ntap-20210827-0007
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20210827-0007
cvssv3.1 6.5 https://www.debian.org/security/2021/dsa-4952
generic_textual MODERATE https://www.debian.org/security/2021/dsa-4952
cvssv3.1 6.5 https://www.debian.org/security/2021/dsa-4986
generic_textual MODERATE https://www.debian.org/security/2021/dsa-4986
cvssv3.1 6.5 https://www.oracle.com/security-alerts/cpujan2022.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpujan2022.html
cvssv3.1 6.5 https://www.oracle.com//security-alerts/cpujul2021.html
generic_textual MODERATE https://www.oracle.com//security-alerts/cpujul2021.html
cvssv3.1 6.5 https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpuoct2021.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30640.json
https://api.first.org/data/v1/epss?cve=CVE-2021-30640
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat/commit/0a272b00aed57526dbfc8b881ab253c23c61f100
https://github.com/apache/tomcat/commit/17208c645d68d2af1444ee8c64f36a9b8f0ba76f
https://github.com/apache/tomcat/commit/24dfb30076997b640e5123e92c4b8d7f206f609c
https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0
https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945
https://github.com/apache/tomcat/commit/4e61e1d625a4a64d6b775e3a03c77a0b100d56d7
https://github.com/apache/tomcat/commit/4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe
https://github.com/apache/tomcat/commit/6a9129ac9bd06555ce04bb564a76fc3987311f38
https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434
https://github.com/apache/tomcat/commit/79580e7f70a07c083be07307376511bb864d5a7b
https://github.com/apache/tomcat/commit/81f16b0a7186ed02efbfac336589d6cff28d1e89
https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56
https://github.com/apache/tomcat/commit/ad22db641dcd61c2e8078f658fa709897b5da375
https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43
https://github.com/apache/tomcat/commit/b930d0b3161d9ec78d5fa57f886ed2de4680518b
https://github.com/apache/tomcat/commit/bd4d1fbe9146dff4714130594afd668406a6a5ef
https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb
https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e
https://github.com/apache/tomcat/commit/c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822
https://github.com/apache/tomcat/commit/d3407672774e372fae8b5898d55f85d16f22b972
https://github.com/apache/tomcat/commit/d5303a506c7533803d2b3bc46e6120ce673a6667
https://github.com/apache/tomcat/commit/e21eb4764ccda55e5a35a5a7c19a6fd2b0757fe9
https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862
https://github.com/apache/tomcat/commit/eeb7351219bd8803c0053e1e80444664a7cf5b51
https://github.com/apache/tomcat/commit/f4d9bdef53ec009b7717620d890465fa273721a6
https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
https://nvd.nist.gov/vuln/detail/CVE-2021-30640
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20210827-0007
https://security.netapp.com/advisory/ntap-20210827-0007/
https://www.debian.org/security/2021/dsa-4952
https://www.debian.org/security/2021/dsa-4986
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
1981544 https://bugzilla.redhat.com/show_bug.cgi?id=1981544
991046 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2021-30640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
GHSA-36qh-35cm-5w2w https://github.com/advisories/GHSA-36qh-35cm-5w2w
RHSA-2021:4861 https://access.redhat.com/errata/RHSA-2021:4861
RHSA-2021:4863 https://access.redhat.com/errata/RHSA-2021:4863
RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
USN-5360-1 https://usn.ubuntu.com/5360-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30640.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-30640
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-30640
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://security.gentoo.org/glsa/202208-34
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20210827-0007
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://www.debian.org/security/2021/dsa-4952
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://www.debian.org/security/2021/dsa-4986
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://www.oracle.com/security-alerts/cpujan2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://www.oracle.com//security-alerts/cpujul2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.4007
EPSS Score 0.00179
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:16:19.480755+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/5360-1/ 36.1.3