Affecting org.apache.tomcat:tomcat-catalina artifact, versions [7.0.0,7.0.72),[8,8.0.37),[8.5.0,8.5.5),[9-alpha,9.0.0.M10)
Affected versions of the package are vulnerable to Timing Attacks determining valid user names. The Realm implementations did not process the supplied password if the supplied user name did not exist.
Note: The default configuration includes the
LockOutRealm which makes exploitation of this vulnerability harder.