Main Vulnerability Database Vulnerabilities #VU63225

Data Handling in Apache Tomcat - CVE-2022-29885

Published: May 16, 2022 / Updated: October 25, 2024

Vulnerability identifier: #VU63225

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2022-29885

CWE-ID: CWE-19

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Apache Foundation

Affected software:
Apache Tomcat

Detailed vulnerability description

The vulnerability allows a remote attacker to perform DoS attack.

The vulnerability exists due to an error in documentation for the EncryptInterceptor, which incorrectly stated that it enabled Tomcat clustering to run over an untrusted network. A remote attacker can perform a denial of service attack against the exposed EncryptInterceptor.

How to mitigate CVE-2022-29885

Install updates from vendor's website.

Sources

https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.79
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.63
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.21

Data Handling in Apache Tomcat - CVE-2022-29885

Detailed vulnerability description

How to mitigate CVE-2022-29885

Sources

Please verify you're human