{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"HIGH"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.",
				"category":"general",
				"title":"Synopsis"
			}
		],
		"publisher":null,
		"references":[
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55957"
			},
			{
				"summary":"CVE-2026-55957 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-55957.json"
			},
			{
				"summary":"openEuler-SA-2026-2950",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2950"
			},
			{
				"summary":"CVE-2026-55957",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-55957&packageName=tomcat"
			}
		],
		"title":"openEuler cve CVE-2026-55957",
		"tracking":{
			"initial_release_date":"2026-07-14T11:13:20+08:00",
			"revision_history":[
				{
					"date":"2026-07-14T11:13:20+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2026-07-14T11:13:20+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2026-07-14T11:13:20+08:00",
			"id":"CVE-2026-55957",
			"version":"1.0.0",
			"status":"interim"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"openEuler-24.03-LTS-SP3",
									"name":"openEuler-24.03-LTS-SP3"
								},
								"name":"openEuler-24.03-LTS-SP3",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"tomcat-9.0.119-1.oe2403sp3.noarch.rpm",
									"name":"tomcat-9.0.119-1.oe2403sp3.noarch.rpm"
								},
								"name":"tomcat-9.0.119-1.oe2403sp3.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"tomcat-help-9.0.119-1.oe2403sp3.noarch.rpm",
									"name":"tomcat-help-9.0.119-1.oe2403sp3.noarch.rpm"
								},
								"name":"tomcat-help-9.0.119-1.oe2403sp3.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"tomcat-jsvc-9.0.119-1.oe2403sp3.noarch.rpm",
									"name":"tomcat-jsvc-9.0.119-1.oe2403sp3.noarch.rpm"
								},
								"name":"tomcat-jsvc-9.0.119-1.oe2403sp3.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3"
									},
									"product_id":"tomcat-9.0.119-1.oe2403sp3.src.rpm",
									"name":"tomcat-9.0.119-1.oe2403sp3.src.rpm"
								},
								"name":"tomcat-9.0.119-1.oe2403sp3.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP3",
				"product_reference":"tomcat-9.0.119-1.oe2403sp3.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.noarch",
					"name":"tomcat-9.0.119-1.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP3",
				"product_reference":"tomcat-help-9.0.119-1.oe2403sp3.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP3:tomcat-help-9.0.119-1.oe2403sp3.noarch",
					"name":"tomcat-help-9.0.119-1.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP3",
				"product_reference":"tomcat-jsvc-9.0.119-1.oe2403sp3.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP3:tomcat-jsvc-9.0.119-1.oe2403sp3.noarch",
					"name":"tomcat-jsvc-9.0.119-1.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP3",
				"product_reference":"tomcat-9.0.119-1.oe2403sp3.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.src",
					"name":"tomcat-9.0.119-1.oe2403sp3.src as a component of openEuler-24.03-LTS-SP3"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2026-55957",
			"notes":[
				{
					"text":"Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.noarch",
					"openEuler-24.03-LTS-SP3:tomcat-help-9.0.119-1.oe2403sp3.noarch",
					"openEuler-24.03-LTS-SP3:tomcat-jsvc-9.0.119-1.oe2403sp3.noarch",
					"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.src"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.noarch",
						"openEuler-24.03-LTS-SP3:tomcat-help-9.0.119-1.oe2403sp3.noarch",
						"openEuler-24.03-LTS-SP3:tomcat-jsvc-9.0.119-1.oe2403sp3.noarch",
						"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.src"
					],
					"details":"tomcat security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2950"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.3,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
						"version":"3.1"
					},
					"products":[
						"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.noarch",
						"openEuler-24.03-LTS-SP3:tomcat-help-9.0.119-1.oe2403sp3.noarch",
						"openEuler-24.03-LTS-SP3:tomcat-jsvc-9.0.119-1.oe2403sp3.noarch",
						"openEuler-24.03-LTS-SP3:tomcat-9.0.119-1.oe2403sp3.src"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2026-55957"
		}
	]
}