CVEs-PoC/2021/CVE-2021-30640.md

### [CVE-2021-30640](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Tomcat&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%2010%2010.0.0-M1%20to%2010.0.5%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%207%207.0.0%20to%207.0.108%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%208.5%208.5.0%20to%208.5.65%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%209%209.0.0.M1%20to%209.0.45%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Authentication%20weaknees&color=brightgreen)

### Description

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

### POC

#### Reference
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html

#### Github
- https://github.com/dusbot/cpe2cve
- https://github.com/m3n0sd0n4ld/uCVE
- https://github.com/versio-io/product-lifecycle-security-api