CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
90.8%
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to
10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor
incorrectly stated it enabled Tomcat clustering to run over an untrusted
network. This was not correct. While the EncryptInterceptor does provide
confidentiality and integrity protection, it does not protect against all
risks associated with running over any untrusted network, particularly DoS
risks.
github.com/apache/tomcat/commit/b679bc627f5a4ea6510af95adfb7476b07eba890 (8.5.79)
github.com/apache/tomcat/commit/eaafd28296c54d983e28a47953c1f5cb2c334f48 (9.0.63)
launchpad.net/bugs/cve/CVE-2022-29885
lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
nvd.nist.gov/vuln/detail/CVE-2022-29885
security-tracker.debian.org/tracker/CVE-2022-29885
www.cve.org/CVERecord?id=CVE-2022-29885
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
90.8%