Lucene search

K
cveApacheCVE-2022-29885
HistoryMay 12, 2022 - 8:15 a.m.

CVE-2022-29885

2022-05-1208:15:07
CWE-400
apache
web.nvd.nist.gov
270
13
apache tomcat
encryptinterceptor
documentation
cve-2022-29885
nvd
security vulnerability

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.029

Percentile

90.8%

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Affected configurations

Nvd
Vulners
Node
apachetomcatRange8.5.38โ€“8.5.78
OR
apachetomcatRange9.0.13โ€“9.0.62
OR
apachetomcatRange10.0.0โ€“10.0.20
OR
apachetomcatMatch10.1.0milestone1
OR
apachetomcatMatch10.1.0milestone10
OR
apachetomcatMatch10.1.0milestone11
OR
apachetomcatMatch10.1.0milestone12
OR
apachetomcatMatch10.1.0milestone13
OR
apachetomcatMatch10.1.0milestone14
OR
apachetomcatMatch10.1.0milestone2
OR
apachetomcatMatch10.1.0milestone3
OR
apachetomcatMatch10.1.0milestone4
OR
apachetomcatMatch10.1.0milestone5
OR
apachetomcatMatch10.1.0milestone6
OR
apachetomcatMatch10.1.0milestone7
OR
apachetomcatMatch10.1.0milestone8
OR
apachetomcatMatch10.1.0milestone9
Node
debiandebian_linuxMatch10.0
OR
debiandebian_linuxMatch11.0
Node
oraclehospitality_cruise_shipboard_property_management_systemMatch20.2.1
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
apachetomcat10.1.0cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
Rows per page:
1-10 of 181

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Tomcat",
    "versions": [
      {
        "version": "Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14",
        "status": "affected"
      },
      {
        "version": "Apache Tomcat 10 10.0.0-M1 to 10.0.20",
        "status": "affected"
      },
      {
        "version": "Apache Tomcat 9 9.0.13 to 9.0.62",
        "status": "affected"
      },
      {
        "version": "Apache Tomcat 8.5 8.5.38 to 8.5.78 ",
        "status": "affected"
      }
    ]
  }
]

Social References

More

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.029

Percentile

90.8%