First published: Wed Jan 26 2022(Updated: )
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jws5-tomcat | <0:9.0.62-9.redhat_00005.1.el7 | 0:9.0.62-9.redhat_00005.1.el7 |
redhat/jws5-tomcat | <0:9.0.62-9.redhat_00005.1.el8 | 0:9.0.62-9.redhat_00005.1.el8 |
redhat/jws5-tomcat | <0:9.0.62-9.redhat_00005.1.el9 | 0:9.0.62-9.redhat_00005.1.el9 |
debian/tomcat9 | <=9.0.31-1~deb10u6 | 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 |
Apache Tomcat | >=8.5.55<=8.5.73 | |
Apache Tomcat | >=9.0.35<=9.0.56 | |
Apache Tomcat | >=10.0.1<=10.0.14 | |
Apache Tomcat | =10.0.0-milestone10 | |
Apache Tomcat | =10.0.0-milestone5 | |
Apache Tomcat | =10.0.0-milestone6 | |
Apache Tomcat | =10.0.0-milestone7 | |
Apache Tomcat | =10.0.0-milestone8 | |
Apache Tomcat | =10.0.0-milestone9 | |
Apache Tomcat | =10.1.0-milestone1 | |
Apache Tomcat | =10.1.0-milestone2 | |
Apache Tomcat | =10.1.0-milestone3 | |
Apache Tomcat | =10.1.0-milestone4 | |
Apache Tomcat | =10.1.0-milestone5 | |
Apache Tomcat | =10.1.0-milestone6 | |
Apache Tomcat | =10.1.0-milestone7 | |
Apache Tomcat | =10.1.0-milestone8 | |
Oracle Agile Engineering Data Management | =6.2.1.0 | |
Oracle Communications Cloud Native Core Policy | =1.15.0 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
Oracle Managed File Transfer | =12.2.1.3.0 | |
Oracle Managed File Transfer | =12.2.1.4.0 | |
IBM Cognos Analytics | <=8.0.29 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-23181 is a time of check, time of use vulnerability in Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56, and 8.5.55 to 8.5.73.
CVE-2022-23181 has a severity level of high with a CVSS score of 7.0.
CVE-2022-23181 allows a local attacker to perform actions with the user privileges that the Tomcat process is using.
Apache Tomcat versions 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56, and 8.5.55 to 8.5.73 are affected by CVE-2022-23181.
To fix CVE-2022-23181, update Apache Tomcat to version 10.1.0-M9, 10.0.15, 9.0.57, or 8.5.74 or later.