CVE-2022-29885
Severity CVSS v4.0:
Pending analysis
Type:
CWE-400
Uncontrolled Resource Consumption ('Resource Exhaustion')
Publication date:
12/05/2022
Last modified:
06/04/2023
Description
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 8.5.38 (including) | 8.5.78 (including) |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 9.0.13 (including) | 9.0.62 (including) |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 10.0.0 (including) | 10.0.20 (including) |
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:* | ||
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
- https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
- https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
- https://security.netapp.com/advisory/ntap-20220629-0002/
- https://www.debian.org/security/2022/dsa-5265
- https://www.oracle.com/security-alerts/cpujul2022.html