CVE-2022-23181 Apache Tomcat Local Privilege Escalation
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0-M8
Apache Tomcat 10.0.0-M5 to 10.0.14
Apache Tomcat 9.0.35 to 9.0.56
Apache Tomcat 8.5.55 to 8.5.73
Description:
The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability that allowed a local attacker to perform actions with the
privileges of the user that the Tomcat process is using. This issue is
only exploitable when Tomcat is configured to persist sessions using the
FileStore.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.0-M10 or later
- Upgrade to Apache Tomcat 10.0.16 or later
- Upgrade to Apache Tomcat 9.0.58 or later
- Upgrade to Apache Tomcat 8.5.75 or later
Note: This issue was fixed in Apache Tomcat 10.1.0-M9, 10.0.15, 9.0.57
and 8.5.74 but the release vote for those release candidates did not
pass. Therefore, although users must download 10.1.0-M10, 10.0.16,
9.0.58 or 8.5.75 to obtain a version that includes a fix for this issue,
versions 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 are not included in the
list of affected versions.
History:
2022-01-26 Original advisory
Credit:
This issue was reported to the Apache Tomcat Security team by Trung Pham
of Viettel Cyber Security.
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
