Vulnerability in Apache Tomcat
CVE-2022-23181
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions wit…
Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)
EPSS: 0.007 (48.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.0 (High). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Apache Tomcat — versions 10.0.0, 10.1.0
- Apache Software Foundation Tomcat — versions Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M8, Apache Tomcat 10.0 10.0.0-M5 to 10.0.14, Apache Tomcat 9 9.0.35 to 9.0.56
- Oracle Agile_engineering_data_management — versions 6.2.1.0
- Oracle Communications_cloud_native_core_policy — versions 1.15.0
- Oracle Financial_services_crime_and_compliance_management_studio — versions 8.0.8.2.0, 8.0.8.3.0
- Oracle Managed_file_transfer — versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Mysql_enterprise_monitor
- Debian Debian_linux — versions 10.0, 11.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@apache.org (Mailing List, Mitigation, Vendor Advisory)
- security@apache.org (Patch, Third Party Advisory)
- security@apache.org (Third Party Advisory)
- security@apache.org (Patch, Third Party Advisory)
- security@apache.org (mailing-list, Mailing List, Third Party Advisory)
- security@apache.org (vendor-advisory, Third Party Advisory)
Frequently asked questions
- What is CVE-2022-23181?
- CVE-2022-23181 is a high-severity vulnerability in Apache Tomcat, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 7.0/10. Published 2022-01-27.
- How severe is CVE-2022-23181?
- High severity. CVSS v3 base score is 7.0 out of 10.
- Is CVE-2022-23181 known to be exploited?
- 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.