CVE-2022-29885

Sažetak

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Reference

https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
https://security.netapp.com/advisory/ntap-20220629-0002/
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
https://www.debian.org/security/2022/dsa-5265
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:N/A:P

Zadnje važnije ažuriranje

06-04-2023 - 17:15

Objavljeno

12-05-2022 - 08:15