Lucene search

K
tomcatApache TomcatTOMCAT:6C76B942203866596C449F47FBCB6A47
HistoryMay 06, 2022 - 12:00 a.m.

Fixed in Apache Tomcat 10.0.21

2022-05-0600:00:00
Apache Tomcat
tomcat.apache.org
38
apache tomcat
encryptinterceptor
dos

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.029

Percentile

90.8%

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885

The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

This was fixed with commit 36826ea6.

This issue was reported to the Apache Tomcat Security team by 4ra1n on 17 April 2022. The issue was made public on 10 May 2022.

Affects: 10.0.0-M1 to 10.0.20

Affected configurations

Vulners
Node
apachetomcatRange10.0.0-M1
OR
apachetomcatRange10.0.20
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.029

Percentile

90.8%