CVEs-PoC/2021/CVE-2021-30640.md

### [CVE-2021-30640](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Tomcat&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Tomcat%2010%3D%2010.0.0-M1%20to%2010.0.5%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Authentication%20weaknees&color=brighgreen)

### Description

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

### POC

#### Reference
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html

#### Github
- https://github.com/versio-io/product-lifecycle-security-api