CVE-2022-23181

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:48

Type Values Removed Values Added
References () https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory () https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory
References () https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory
References () https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory
References () https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory () https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory
References () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

07 Nov 2022, 18:49

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5265 - (DEBIAN) https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory

30 Oct 2022, 04:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5265 -

26 Oct 2022, 15:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html -

30 Jul 2022, 02:02

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
References (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

25 Jul 2022, 18:20

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

20 Apr 2022, 00:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

15 Apr 2022, 16:22

Type Values Removed Values Added
CVSS v2 : 4.4
v3 : 7.0
v2 : 3.7
v3 : 7.0

04 Mar 2022, 21:33

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory

17 Feb 2022, 18:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ -

02 Feb 2022, 17:04

Type Values Removed Values Added
References (MISC) https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - (MISC) https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 4.4
v3 : 7.0
CPE cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
CWE CWE-367

27 Jan 2022, 13:21

Type Values Removed Values Added
New CVE

Information

Published : 2022-01-27 13:15

Updated : 2024-11-21 06:48


NVD link : CVE-2022-23181

Mitre link : CVE-2022-23181

CVE.ORG link : CVE-2022-23181


JSON object : View

Products Affected

oracle

  • managed_file_transfer
  • communications_cloud_native_core_policy
  • agile_engineering_data_management
  • financial_services_crime_and_compliance_management_studio
  • mysql_enterprise_monitor

debian

  • debian_linux

apache

  • tomcat
CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition