CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API
https://seclists.org/oss-sec/2024/q4/103Sounds pretty esoteric, but I may be wrong:
"If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail"