CVE-2022-23181

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

21 Nov 2024, 06:48

Type Values Removed Values Added
References () https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory () https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory
References () https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory
References () https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory
References () https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory () https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory
References () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

07 Nov 2022, 18:49

Type Values Removed Values Added
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5265 - (DEBIAN) https://www.debian.org/security/2022/dsa-5265 - Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

30 Oct 2022, 04:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5265 -

26 Oct 2022, 15:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html -

30 Jul 2022, 02:02

Type Values Removed Values Added
References (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
CPE cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*

25 Jul 2022, 18:20

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

20 Apr 2022, 00:16

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

15 Apr 2022, 16:22

Type Values Removed Values Added
CVSS v2 : 4.4
v3 : 7.0
v2 : 3.7
v3 : 7.0

04 Mar 2022, 21:33

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ - Third Party Advisory

17 Feb 2022, 18:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0010/ -

02 Feb 2022, 17:04

Type Values Removed Values Added
References (MISC) https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - (MISC) https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 - Mailing List, Mitigation, Vendor Advisory
CWE CWE-367
CVSS v2 : unknown
v3 : unknown
v2 : 4.4
v3 : 7.0
CPE cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*

27 Jan 2022, 13:21

Type Values Removed Values Added
New CVE

Information

Published : 2022-01-27 13:15

Updated : 2024-11-21 06:48


NVD link : CVE-2022-23181

Mitre link : CVE-2022-23181

CVE.ORG link : CVE-2022-23181


JSON object : View

Products Affected

oracle

  • mysql_enterprise_monitor
  • financial_services_crime_and_compliance_management_studio
  • communications_cloud_native_core_policy
  • managed_file_transfer
  • agile_engineering_data_management

debian

  • debian_linux

apache

  • tomcat
CWE
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition