CVE-2022-29885

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Published: May 12, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-29885
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
apache / tomcat	10.1.0-milestone3	10.1.0-milestone3.x
apache / tomcat	10.1.0-milestone4	10.1.0-milestone4.x
apache / tomcat	10.1.0-milestone5	10.1.0-milestone5.x
apache / tomcat	10.1.0-milestone1	10.1.0-milestone1.x
apache / tomcat	10.1.0-milestone2	10.1.0-milestone2.x
apache / tomcat	10.1.0-milestone7	10.1.0-milestone7.x
apache / tomcat	10.1.0-milestone8	10.1.0-milestone8.x
apache / tomcat	10.1.0-milestone9	10.1.0-milestone9.x
apache / tomcat	10.1.0-milestone6	10.1.0-milestone6.x
apache / tomcat	10.1.0-milestone10	10.1.0-milestone10.x
apache / tomcat	10.1.0-milestone11	10.1.0-milestone11.x
apache / tomcat	10.1.0-milestone12	10.1.0-milestone12.x
apache / tomcat	10.1.0-milestone13	10.1.0-milestone13.x
apache / tomcat	10.1.0-milestone14	10.1.0-milestone14.x
apache / tomcat	10.0.0	10.0.20.x
apache / tomcat	9.0.13	9.0.62.x
apache / tomcat	8.5.38	8.5.78.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
oracle / hospitality_cruise_shipboard_property_management_system	20.2.1	20.2.1.x

Vulnerability Database

289,599

CVE-2022-29885