GHSA-9f3j-pm6f-9fm5

Опубликовано: 01 фев. 2022

Источник: github

Github: Прошло ревью

CVSS3: 7

Описание

Race condition in Apache Tomcat

The fix for bug CVE-2020-9484 introduced a time of check time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Ссылки

Пакеты

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 10.0.0, < 10.0.16

10.0.16

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 9.0.0, < 9.0.58

9.0.58

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

< 8.5.75

8.5.75

EPSS

Процентиль: 34%

0.00138

Низкий

7 High

CVSS3

CVE ID

CVE-2022-23181

Дефекты

CWE-367

Связанные уязвимости

CVE-2022-23181

CVSS3: 7

ubuntu

больше 3 лет назад

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.