CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-42252 – Apache Tomcat request smuggling via malformed content-length
https://notcve.org/view.php?id=CVE-2022-42252
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. Si Apache Tomcat 8.5.0 a 8.5.82, 9.0.0-M1 a 9.0.67, 10.0.0-M1 a 10.0.26 o 10.1.0-M1 a 10.1.0 se configuró para ignorar encabezados HTTP no válidos mediante la configuración de rechazarIllegalHeader a falso (el valor predeterminado solo para 8.5.x), Tomcat no rechazó una solicitud que contenía un encabezado Content-Length no válido, lo que hace posible un ataque de contrabando de solicitudes si Tomcat estaba ubicado detrás de un proxy inverso que tampoco rechazó la solicitud con el encabezado no válido. A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack. • https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq https://security.gentoo.org/glsa/202305-37 https://access.redhat.com/security/cve/CVE-2022-42252 https://bugzilla.redhat.com/show_bug.cgi?id=2141329 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 3.7EPSS: 0%CPEs: 17EXPL: 0CVE-2021-43980 – Apache Tomcat: Information disclosure
https://notcve.org/view.php?id=CVE-2021-43980
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. Una implementación simplificada de lecturas y escrituras de bloqueo introducida en Tomcat versión 10 y retrocedida a Tomcat versión 9.0.47 en adelante expuso un error de concurrencia de larga data (pero extremadamente difícil de activar) en Apache Tomcat versiones 10.1.0 a 10. 1.0-M12, 10.0.0-M1 a 10.0.18, 9.0.0-M1 a 9.0.60 y 8.5.0 a 8.5.77, que podía causar que las conexiones de los clientes compartieran una instancia de Http11Processor resultando en que las respuestas, o parte de ellas, fueran recibidas por el cliente equivocado • http://www.openwall.com/lists/oss-security/2022/09/28/1 https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3 https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html https://www.debian.org/security/2022/dsa-5265 https://access.redhat.com/security/cve/CVE-2021-43980 https://bugzilla.redhat.com/show_bug.cgi?id=2130599 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 1CVE-2022-34305 – XSS in examples web application
https://notcve.org/view.php?id=CVE-2022-34305
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. En Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M16, 10.0.0-M1 a 10.0.22, 9.0.30 a 9.0.64 y 8.5.50 a 8.5.81, el ejemplo de autenticación de formularios en la aplicación web de ejemplos mostraba los datos proporcionados por el usuario sin filtrar, exponiendo una vulnerabilidad de tipo XSS • https://github.com/zeroc00I/CVE-2022-34305 http://www.openwall.com/lists/oss-security/2022/06/23/1 https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k https://security.gentoo.org/glsa/202208-34 https://security.netapp.com/advisory/ntap-20220729-0006 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2022-25762 – Response mix-up with WebSocket concurrent send and close
https://notcve.org/view.php?id=CVE-2022-25762
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. Si una aplicación web envía un mensaje WebSocket simultáneamente con el cierre de la conexión WebSocket cuando es ejecutado en Apache Tomcat versiones 8.5.0 a 8.5.75 o Apache Tomcat versiones 9.0.0.M1 a 9.0.20, es posible que la aplicación siga usando el socket después de que se haya cerrado. El manejo de errores que es activado en este caso podría causar que el objeto agrupado sea colocado en el pool dos veces. • https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c https://security.netapp.com/advisory/ntap-20220629-0003 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-25762 https://bugzilla.redhat.com/show_bug.cgi?id=2085304 • CWE-226: Sensitive Information in Resource Not Removed Before Reuse CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 2%CPEs: 20EXPL: 3CVE-2022-29885 – EncryptInterceptor does not provide complete protection on insecure networks
https://notcve.org/view.php?id=CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. La documentación de Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M14, 10.0.0-M1 a 10.0.20, 9.0.13 a 9.0.62 y 8.5.38 a 8.5.78, para el EncryptInterceptor indicaba incorrectamente que permitía que el clustering de Tomcat fuera ejecutado sobre una red no confiable. Esto no es correcto. • https://www.exploit-db.com/exploits/51262 https://github.com/quynhlab/CVE-2022-29885 https://github.com/iveresk/CVE-2022-29885 http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html https://security.netapp.com/advisory/ntap-20220629-0002 https://www.debian.org/security/2022/dsa-5265 https://www.oracle.com/security-alerts/cpujul2022 • CWE-400: Uncontrolled Resource Consumption •