The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 | Mailing List Mitigation Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html | Mailing List Third Party Advisory |
https://security.netapp.com/advisory/ntap-20220217-0010/ | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5265 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2022, 18:49
Type | Values Removed | Values Added |
---|---|---|
First Time |
Debian debian Linux
Debian |
|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
30 Oct 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 Oct 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Jul 2022, 02:02
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory | |
First Time |
Oracle managed File Transfer
Oracle agile Engineering Data Management Oracle mysql Enterprise Monitor Oracle Oracle communications Cloud Native Core Policy Oracle financial Services Crime And Compliance Management Studio |
|
CPE | cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* |
25 Jul 2022, 18:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Apr 2022, 00:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Apr 2022, 16:22
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 3.7
v3 : 7.0 |
04 Mar 2022, 21:33
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory |
17 Feb 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Feb 2022, 17:04
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory | |
CPE | cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:* |
|
First Time |
Apache tomcat
Apache |
|
CWE | CWE-367 | |
CVSS |
v2 : v3 : |
v2 : 4.4
v3 : 7.0 |
27 Jan 2022, 13:21
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-01-27 13:15
Updated : 2023-12-10 14:09
NVD link : CVE-2022-23181
Mitre link : CVE-2022-23181
CVE.ORG link : CVE-2022-23181
JSON object : View
Products Affected
oracle
- communications_cloud_native_core_policy
- managed_file_transfer
- agile_engineering_data_management
- financial_services_crime_and_compliance_management_studio
- mysql_enterprise_monitor
debian
- debian_linux
apache
- tomcat
CWE
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition