Vulnerability in Apache Tomcat
CVE-2020-9484
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use t…
EPSS: 0.935 (99.8th percentile) — read the EPSS interpretation.
Affected products
- N/a Apache Tomcat — versions Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to 7.0.103
Public proof-of-concept exploits
References
- [tomcat-users] 20200521 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence (mailing-list, x_refsource_MLIST)
- [debian-lts-announce] 20200523 [SECURITY] [DLA 2217-1] tomcat7 security update (mailing-list, x_refsource_MLIST)
- [tomcat-users] 20200524 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence (mailing-list, x_refsource_MLIST)
- openSUSE-SU-2020:0711 (vendor-advisory, x_refsource_SUSE)
- [tomcat-dev] 20200527 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence (mailing-list, x_refsource_MLIST)
- [debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
- 20200602 [CVE-2020-9484] Apache Tomcat RCE via PersistentManager (mailing-list, x_refsource_FULLDISC)
- GLSA-202006-21 (vendor-advisory, x_refsource_GENTOO)
- FEDORA-2020-ce396e7d5c (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2020-d9169235a8 (vendor-advisory, x_refsource_FEDORA)
Frequently asked questions
- What is CVE-2020-9484?
- CVE-2020-9484 is a vulnerability in Apache Tomcat. Published 2020-05-20.
- Is CVE-2020-9484 known to be exploited?
- 107 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.