Apache Tomcat up to 8.5.73/9.0.56/10.0.14/10.1.0-M8 Fix CVE-2020-9484 toctou

Summaryinfo

A vulnerability labeled as problematic has been found in Apache Tomcat up to 8.5.73/9.0.56/10.0.14/10.1.0-M8. This affects an unknown part of the component Fix CVE-2020-9484. The manipulation results in toctou. This vulnerability is cataloged as CVE-2022-23181. The attack must be initiated from a local position. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic has been found in Apache Tomcat up to 8.5.73/9.0.56/10.0.14/10.1.0-M8 (Application Server Software). Affected is an unknown part of the component Fix CVE-2020-9484. The manipulation with an unknown input leads to a toctou vulnerability. CWE is classifying the issue as CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was shared 01/27/2022. The advisory is available at lists.apache.org. This vulnerability is traded as CVE-2022-23181 since 01/12/2022. The technical details are unknown and an exploit is not available.

The vulnerability scanner Nessus provides a plugin with the ID 211162 (Fedora 37 : tomcat (2022-30ce1cbe6e)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 8.5.75, 9.0.58, 10.0.16 or 10.1.0-M10 eliminates this vulnerability. The upgrade is hosted for download at tomcat.apache.org.

The vulnerability is also documented in the databases at Tenable (211162) and EUVD (EUVD-2022-0937). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Application Server Software

Vendor

• Apache

Name

• Tomcat

Version

• 8.5.0
• 8.5.1
• 8.5.2
• 8.5.3
• 8.5.4
• 8.5.5
• 8.5.6
• 8.5.7
• 8.5.8
• 8.5.9
• 8.5.10
• 8.5.11
• 8.5.12
• 8.5.13
• 8.5.14
• 8.5.15
• 8.5.16
• 8.5.17
• 8.5.18
• 8.5.19
• 8.5.20
• 8.5.21
• 8.5.22
• 8.5.23
• 8.5.24
• 8.5.25
• 8.5.26
• 8.5.27
• 8.5.28
• 8.5.29
• 8.5.30
• 8.5.31
• 8.5.32
• 8.5.33
• 8.5.34
• 8.5.35
• 8.5.36
• 8.5.37
• 8.5.38
• 8.5.39
• 8.5.40
• 8.5.41
• 8.5.42
• 8.5.43
• 8.5.44
• 8.5.45
• 8.5.46
• 8.5.47
• 8.5.48
• 8.5.49
• 8.5.50
• 8.5.51
• 8.5.52
• 8.5.53
• 8.5.54
• 8.5.55
• 8.5.56
• 8.5.57
• 8.5.58
• 8.5.59
• 8.5.60
• 8.5.61
• 8.5.62
• 8.5.63
• 8.5.64
• 8.5.65
• 8.5.66
• 8.5.67
• 8.5.68
• 8.5.69
• 8.5.70
• 8.5.71
• 8.5.72
• 8.5.73
• 9.0.0
• 9.0.1
• 9.0.2
• 9.0.3
• 9.0.4
• 9.0.5
• 9.0.6
• 9.0.7
• 9.0.8
• 9.0.9
• 9.0.10
• 9.0.11
• 9.0.12
• 9.0.13
• 9.0.14
• 9.0.15
• 9.0.16
• 9.0.17
• 9.0.18
• 9.0.19
• 9.0.20
• 9.0.21
• 9.0.22
• 9.0.23
• 9.0.24
• 9.0.25
• 9.0.26
• 9.0.27
• 9.0.28
• 9.0.29
• 9.0.30
• 9.0.31
• 9.0.32
• 9.0.33
• 9.0.34
• 9.0.35
• 9.0.36
• 9.0.37
• 9.0.38
• 9.0.39
• 9.0.40
• 9.0.41
• 9.0.42
• 9.0.43
• 9.0.44
• 9.0.45
• 9.0.46
• 9.0.47
• 9.0.48
• 9.0.49
• 9.0.50
• 9.0.51
• 9.0.52
• 9.0.53
• 9.0.54
• 9.0.55
• 9.0.56
• 10.0.0
• 10.0.1
• 10.0.2
• 10.0.3
• 10.0.4
• 10.0.5
• 10.0.6
• 10.0.7
• 10.0.8
• 10.0.9
• 10.0.10
• 10.0.11
• 10.0.12
• 10.0.13
• 10.0.14
• 10.1.0-M8

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion