Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2022-29885

Published: 12/05/2022 Updated: 06/04/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 447
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Apache

Vulnerability Summary

A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an malicious user to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine. (CVE-2022-22965) The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. (CVE-2022-29885)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 10.1.0

apache tomcat

debian debian linux 10.0

debian debian linux 11.0

oracle hospitality cruise shipboard property management system 20.2.1

Vendor Advisories

Debian Security Advisories: DSA-5265-1 tomcat9 -- security update
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine CVE-2021-43980 The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9047 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connec ...
Amazon Linux AMI: ALAS-2022-1627
A flaw was found in the tomcat package When a web application sends a WebSocket message concurrently with the WebSocket connection closing, the application may continue to use the socket after it has been closed In this case, the error handling triggered could cause the pooled object to be placed in the pool twice This issue results in subsequen ...
Amazon Linux 2: ALASTOMCAT8.5-2023-005
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within ...

Github Repositories

https://github.com/nikkadim/guacamole140

Apache Guaqmole 1.4.0 based on Tomcat 9.0.64

This work is based on the work of: githubcom/oznu/docker-guacamole A Docker Container for Apache Guacamole, a client-less remote desktop gateway It supports standard protocols like VNC, RDP, and SSH over HTML5 This image will run on most platforms that support Docker including Docker for arm64 boards (Raspberry ARM64v8 on an 64bit OS) This container runs the guacamo

https://github.com/larescze/ptvulnsearcher

PTVULNSEARCHER Common Vulnerabilities and Exposures Searcher ptvulnsearcher is a tool for searching CVE (Common Vulnerabilities and Exposures) This tool allows searching using keywords or exact CVE Installation pip install ptvulnsearcher Add to PATH If you cannot invoke the script in your terminal, its probably because its not in your

https://github.com/quynhlab/CVE-2022-29885

Apache Tomcat CVE-2022-29885

CVE-2022-29885 The tool is only used for security research It is prohibited to use the tool to launch illegal attacks, and the user is responsible for the consequences 工具仅用于安全研究以及内部自查,禁止使用工具发起非法攻击,造成的后果使用者负责 Introduce Apache Tomcat DoS (CVE-2022-29885) Exploit Denial of Service in EncryptInterceptor

https://github.com/Penterep/ptvulnsearcher

Common Vulnerabilities and Exposures Searcher

PTVULNSEARCHER Common Vulnerabilities and Exposures Searcher ptvulnsearcher is a tool for searching CVE (Common Vulnerabilities and Exposures) This tool allows searching using keywords or exact CVE Installation pip install ptvulnsearcher Add to PATH If you cannot invoke the script in your terminal, its probably because its not in your

https://github.com/iveresk/CVE-2022-29885

Apache Tomcat DoS (CVE-2022-29885) Exploit

CVE-2022-29885 by 1vere$k Apache Tomcat DoS (CVE-2022-29885) Exploit Denial of Service in EncryptInterceptor (Tomcat Cluster) The target machine needs to start the Cluster Nio Receiver Sending a special TCP packet will cause a Denial of Service to the target Whether EncryptInterceptor is used or not, there is the possibility of denial of service vulnerability with condition

References

CWE-400https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcvhttps://security.netapp.com/advisory/ntap-20220629-0002/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlhttps://www.debian.org/security/2022/dsa-5265http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.htmlhttps://nvd.nist.govhttps://www.debian.org/security/2022/dsa-5265https://github.com/nikkadim/guacamole140https://alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-005.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48700CVE-2022-48689CVE-2024-27956CVE-2023-6363SQLNULL pointer dereferenceCVE-2023-41830CVE-2015-2051arbitrary
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook