CVE-2022-29885 — HIGH (7.5)

Q: How severe is CVE-2022-29885?

CVE-2022-29885 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29885?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Hospitality Cruise Shipboard Property Management System.

Vulnerability Description

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 8.5.38, <= 8.5.78
Debian	Debian Linux	10.0
Oracle	Hospitality Cruise Shipboard Property Management System	20.2.1

Related Weaknesses (CWE)

CWE-400

References

http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcvMailing ListMitigationVendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20220629-0002/Third Party Advisory
https://www.debian.org/security/2022/dsa-5265Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcvMailing ListMitigationVendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20220629-0002/Third Party Advisory
https://www.debian.org/security/2022/dsa-5265Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-29885?

CVE-2022-29885 is a vulnerability with a CVSS score of 7.5 (HIGH). The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to ru...

How severe is CVE-2022-29885?

CVE-2022-29885 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29885?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Hospitality Cruise Shipboard Property Management System.