Tomcat — контейнер сервлетов с открытым исходным кодом
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 262
GHSA-2rvf-329f-p99g
System Property Disclosure in Apache Tomcat
GHSA-4v3g-g84w-hv7r
Authentication Bypass Using an Alternate Path or Channel in Apache Tomcat
GHSA-wxcp-f2c8-x6xv
Observable Discrepancy in Apache Tomcat
GHSA-q6x7-f33r-3wxx
Incorrect Authorization in Apache Tomcat
GHSA-r84p-88g2-2vx2
Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption
CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 ...
CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
CVE-2022-25762
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-2rvf-329f-p99g System Property Disclosure in Apache Tomcat | CVSS3: 5.3 | 0% Низкий | больше 3 лет назад |
| GHSA-4v3g-g84w-hv7r Authentication Bypass Using an Alternate Path or Channel in Apache Tomcat | CVSS3: 9.1 | 1% Низкий | больше 3 лет назад |
| GHSA-wxcp-f2c8-x6xv Observable Discrepancy in Apache Tomcat | CVSS3: 5.9 | 1% Низкий | больше 3 лет назад |
| GHSA-q6x7-f33r-3wxx Incorrect Authorization in Apache Tomcat | CVSS3: 7.5 | 1% Низкий | больше 3 лет назад |
| GHSA-r84p-88g2-2vx2 Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption | CVSS3: 7.5 | 60% Средний | больше 3 лет назад |
 | CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. | CVSS3: 7.5 | 60% Средний | больше 3 лет назад |
| CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 ... | CVSS3: 7.5 | 60% Средний | больше 3 лет назад |
 | CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. | CVSS3: 7.5 | 60% Средний | больше 3 лет назад |
 | CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. | CVSS3: 8.6 | 1% Низкий | больше 3 лет назад |
| CVE-2022-29885 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. | CVSS3: 3.7 | 60% Средний | больше 3 лет назад |
Уязвимостей на страницу