ID CVE-2020-9484
Summary When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.80:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.81:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.82:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.83:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.83:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.84:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.84:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.85:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.85:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.86:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.86:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.87:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.87:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.88:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.88:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.89:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.89:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.90:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.90:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.91:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.91:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.92:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.92:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.93:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.93:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.94:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.94:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.95:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.95:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.96:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.96:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.97:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.97:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.98:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.98:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.99:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.99:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.100:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.100:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.103:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.103:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.34:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.34:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.43:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.43:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.48:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.49:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.49:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.51:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.51:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.52:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.52:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.53:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.53:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:8.5.54:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:8.5.54:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.33:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.33:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
CVSS
Base: 4.4 (as of 27-10-2020 - 20:15)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1838332
    title CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment tomcat6 is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529001
          • comment tomcat6 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335002
        • AND
          • comment tomcat6-admin-webapps is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529003
          • comment tomcat6-admin-webapps is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335004
        • AND
          • comment tomcat6-docs-webapp is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529005
          • comment tomcat6-docs-webapp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335006
        • AND
          • comment tomcat6-el-2.1-api is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529007
          • comment tomcat6-el-2.1-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335008
        • AND
          • comment tomcat6-javadoc is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529009
          • comment tomcat6-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335010
        • AND
          • comment tomcat6-jsp-2.1-api is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529011
          • comment tomcat6-jsp-2.1-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335012
        • AND
          • comment tomcat6-lib is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529013
          • comment tomcat6-lib is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335014
        • AND
          • comment tomcat6-servlet-2.5-api is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529015
          • comment tomcat6-servlet-2.5-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335018
        • AND
          • comment tomcat6-webapps is earlier than 0:6.0.24-115.el6_10
            oval oval:com.redhat.rhsa:tst:20202529017
          • comment tomcat6-webapps is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110335020
    rhsa
    id RHSA-2020:2529
    released 2020-06-11
    severity Important
    title RHSA-2020:2529: tomcat6 security update (Important)
  • bugzilla
    id 1838332
    title CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment tomcat is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530001
          • comment tomcat is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686002
        • AND
          • comment tomcat-admin-webapps is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530003
          • comment tomcat-admin-webapps is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686004
        • AND
          • comment tomcat-docs-webapp is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530005
          • comment tomcat-docs-webapp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686006
        • AND
          • comment tomcat-el-2.2-api is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530007
          • comment tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686008
        • AND
          • comment tomcat-javadoc is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530009
          • comment tomcat-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686010
        • AND
          • comment tomcat-jsp-2.2-api is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530011
          • comment tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686012
        • AND
          • comment tomcat-jsvc is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530013
          • comment tomcat-jsvc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686014
        • AND
          • comment tomcat-lib is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530015
          • comment tomcat-lib is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686016
        • AND
          • comment tomcat-servlet-3.0-api is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530017
          • comment tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686018
        • AND
          • comment tomcat-webapps is earlier than 0:7.0.76-12.el7_8
            oval oval:com.redhat.rhsa:tst:20202530019
          • comment tomcat-webapps is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140686020
    rhsa
    id RHSA-2020:2530
    released 2020-06-11
    severity Important
    title RHSA-2020:2530: tomcat security update (Important)
rpms
  • tomcat-native-0:1.2.23-22.redhat_22.ep7.el6
  • tomcat-native-0:1.2.23-22.redhat_22.ep7.el7
  • tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6
  • tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7
  • tomcat7-0:7.0.70-40.ep7.el6
  • tomcat7-0:7.0.70-40.ep7.el7
  • tomcat7-admin-webapps-0:7.0.70-40.ep7.el6
  • tomcat7-admin-webapps-0:7.0.70-40.ep7.el7
  • tomcat7-docs-webapp-0:7.0.70-40.ep7.el6
  • tomcat7-docs-webapp-0:7.0.70-40.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7
  • tomcat7-javadoc-0:7.0.70-40.ep7.el6
  • tomcat7-javadoc-0:7.0.70-40.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7
  • tomcat7-jsvc-0:7.0.70-40.ep7.el6
  • tomcat7-jsvc-0:7.0.70-40.ep7.el7
  • tomcat7-lib-0:7.0.70-40.ep7.el6
  • tomcat7-lib-0:7.0.70-40.ep7.el7
  • tomcat7-log4j-0:7.0.70-40.ep7.el6
  • tomcat7-log4j-0:7.0.70-40.ep7.el7
  • tomcat7-selinux-0:7.0.70-40.ep7.el6
  • tomcat7-selinux-0:7.0.70-40.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7
  • tomcat7-webapps-0:7.0.70-40.ep7.el6
  • tomcat7-webapps-0:7.0.70-40.ep7.el7
  • tomcat8-0:8.0.36-44.ep7.el6
  • tomcat8-0:8.0.36-44.ep7.el7
  • tomcat8-admin-webapps-0:8.0.36-44.ep7.el6
  • tomcat8-admin-webapps-0:8.0.36-44.ep7.el7
  • tomcat8-docs-webapp-0:8.0.36-44.ep7.el6
  • tomcat8-docs-webapp-0:8.0.36-44.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7
  • tomcat8-javadoc-0:8.0.36-44.ep7.el6
  • tomcat8-javadoc-0:8.0.36-44.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7
  • tomcat8-jsvc-0:8.0.36-44.ep7.el6
  • tomcat8-jsvc-0:8.0.36-44.ep7.el7
  • tomcat8-lib-0:8.0.36-44.ep7.el6
  • tomcat8-lib-0:8.0.36-44.ep7.el7
  • tomcat8-log4j-0:8.0.36-44.ep7.el6
  • tomcat8-log4j-0:8.0.36-44.ep7.el7
  • tomcat8-selinux-0:8.0.36-44.ep7.el6
  • tomcat8-selinux-0:8.0.36-44.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7
  • tomcat8-webapps-0:8.0.36-44.ep7.el6
  • tomcat8-webapps-0:8.0.36-44.ep7.el7
  • jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws
  • jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws
  • jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws
  • jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws
  • jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws
  • jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws
  • jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws
  • jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws
  • jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws
  • jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws
  • tomcat6-0:6.0.24-115.el6_10
  • tomcat6-admin-webapps-0:6.0.24-115.el6_10
  • tomcat6-docs-webapp-0:6.0.24-115.el6_10
  • tomcat6-el-2.1-api-0:6.0.24-115.el6_10
  • tomcat6-javadoc-0:6.0.24-115.el6_10
  • tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10
  • tomcat6-lib-0:6.0.24-115.el6_10
  • tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10
  • tomcat6-webapps-0:6.0.24-115.el6_10
  • tomcat-0:7.0.76-12.el7_8
  • tomcat-admin-webapps-0:7.0.76-12.el7_8
  • tomcat-docs-webapp-0:7.0.76-12.el7_8
  • tomcat-el-2.2-api-0:7.0.76-12.el7_8
  • tomcat-javadoc-0:7.0.76-12.el7_8
  • tomcat-jsp-2.2-api-0:7.0.76-12.el7_8
  • tomcat-jsvc-0:7.0.76-12.el7_8
  • tomcat-lib-0:7.0.76-12.el7_8
  • tomcat-servlet-3.0-api-0:7.0.76-12.el7_8
  • tomcat-webapps-0:7.0.76-12.el7_8
refmap via4
confirm https://security.netapp.com/advisory/ntap-20200528-0005/
debian DSA-4727
fedora
  • FEDORA-2020-ce396e7d5c
  • FEDORA-2020-d9169235a8
fulldisc 20200602 [CVE-2020-9484] Apache Tomcat RCE via PersistentManager
gentoo GLSA-202006-21
misc
mlist
  • [debian-lts-announce] 20200523 [SECURITY] [DLA 2217-1] tomcat7 security update
  • [debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update
  • [debian-lts-announce] 20200712 [SECURITY] [DLA 2279-1] tomcat8 security update
  • [tomcat-dev] 20200527 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
  • [tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml
  • [tomcat-users] 20200521 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
  • [tomcat-users] 20200524 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
suse openSUSE-SU-2020:0711
ubuntu USN-4448-1
Last major update 27-10-2020 - 20:15
Published 20-05-2020 - 19:15
Last modified 27-10-2020 - 20:15
Back to Top