CVE-2022-23181
Race condition in Apache Tomcat
7.0
HIGH
CVSS 3.1
EPSS 0.24%
Description
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
How to fix CVE-2022-23181
To remediate CVE-2022-23181, upgrade the affected package to a fixed version below.
- —upgrade to 8.5.74 or later
- —upgrade to 9.0.43-2~deb11u4 or later
- —upgrade to 10.0.16 or later
Is CVE-2022-23181 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 8.5.55, < 8.5.74, >= 9.0.35, < 9.0.57, >= 10.0.1, < 10.0.15
- from 0, < 9.0.43-2~deb11u4
- >= 10.0.0, < 10.0.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |