CVE-2022-23181

Summary

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache TomcatApache Tomcat 10.1 10.1.0-M1 to 10.1.0-M8affected
Apache Software FoundationApache TomcatApache Tomcat 10.0 10.0.0-M5 to 10.0.14affected
Apache Software FoundationApache TomcatApache Tomcat 9 9.0.35 to 9.0.56affected
Apache Software FoundationApache TomcatApache Tomcat 8 8.5.55 to 8.5.73affected

Weaknesses

  • CWE-367: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

ADP Enrichment

CVE Program Container

Additional References

References