var-202005-1052
Vulnerability from variot
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. The program implements support for Servlet and JavaServer Page (JSP). The following products and versions are affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to Version 7.0.103. A deserialization flaw exists in Apache Tomcat's use of a FileStore. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484) The fix for CVE-2020-9484 was incomplete. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329).
For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u2.
We recommend that you upgrade your tomcat9 packages.
For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8R6BwACgkQEMKTtsN8 TjbUrw//fOLw1bfjQwHr4fug5xgGtIjccQvMgZ6r4jVWDNUWGns/n0HBIg7IFANW 1LTBXunNygapGke96Cexs/mimcs47wr9Xj6B9R7935NgF7dbXiDPhX99fmMSu4qE mpt9GmynGSOqr2qt+bHMZSIrZ2rpT/WoDbmnVvK0h30Il7VZ2pMEbzq7gd7sfsbO 0FbQr9kza5d5kvih7DLfq/7plhLouyUhzAab3UUJvI1B3ASD4pfEFDSmBJusHJGG 2CTtrO8IFUyYW0ev4/I2KT6rrFiXccEtFhUlpU09SLpy96FP161UVoHILkPHhfqI 9XILKEf0mKVlDfq5q2TOY5WVl8palc5o/Z3xefO4/wZc7/qNNnyzwcNHl6s14czv REID8Llfbro3/XWHkwLXPNFr1VzYXZSX1XhTwKWPWaH+L5WsUSr5uryqIUvSQ96L tTWv3G7KZDwVlio1XJ1t7ZxMkKqEBjvucShFgaOIw1nVD1IrssMKMz9UJQCd4fH5 RtUakyBzUuPbAhUcunMj23n2slZ9WbCANIGKy56O6R71rYI9mYOG2nF2IuUct/F2 iG3/SLJCe2ghVx2Lgz8/nBhZfPEF5FZ2kPHb9KpjjyZ+vl8ZXH83heaYDlDAknXS bTsyFezxJiAwaa9xozjItZPdIBFP9lG8Txmv1AotH7WV/8dRsOU= =E8Ei -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-6943-1 August 01, 2024
tomcat8, tomcat9 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Tomcat. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected tomcat8 for Ubuntu 18.04 LTS (CVE-2020-9484)
It was discovered that Tomcat incorrectly handled certain HTTP/2 connection requests. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. This issue only affected tomcat8 for Ubuntu 18.04 LTS (CVE-2021-25122)
Thomas Wozenilek discovered that Tomcat incorrectly handled certain TLS
packets. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected tomcat8 for Ubuntu 18.04 LTS (CVE-2021-41079)
Trung Pham discovered that a race condition existed in Tomcat when handling session files with FileStore. A remote attacker could possibly use this issue to execute arbitrary code. This issue affected tomcat8 for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS, and tomcat9 for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS (CVE-2022-23181)
It was discovered that Tomcat's documentation incorrectly stated that EncryptInterceptor provided availability protection when running over an untrusted network. A remote attacker could possibly use this issue to cause a denial of service even if EncryptInterceptor was being used. This issue affected tomcat8 for Ubuntu 18.04 LTS, and tomcat9 for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS (CVE-2022-29885)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04 LTS tomcat9-docs 9.0.58-1ubuntu0.1+esm2 Available with Ubuntu Pro
Ubuntu 20.04 LTS libtomcat9-java 9.0.31-1ubuntu0.6 tomcat9 9.0.31-1ubuntu0.6 tomcat9-docs 9.0.31-1ubuntu0.6
Ubuntu 18.04 LTS libtomcat8-java 8.5.39-1ubuntu1~18.04.3+esm2 Available with Ubuntu Pro libtomcat9-java 9.0.16-3ubuntu0.18.04.2+esm2 Available with Ubuntu Pro tomcat8 8.5.39-1ubuntu1~18.04.3+esm2 Available with Ubuntu Pro tomcat8-docs 8.5.39-1ubuntu1~18.04.3+esm2 Available with Ubuntu Pro tomcat9 9.0.16-3ubuntu0.18.04.2+esm2 Available with Ubuntu Pro tomcat9-docs 9.0.16-3ubuntu0.18.04.2+esm2 Available with Ubuntu Pro
Ubuntu 16.04 LTS libtomcat8-java 8.0.32-1ubuntu1.13+esm1 Available with Ubuntu Pro tomcat8 8.0.32-1ubuntu1.13+esm1 Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: tomcat6 security update Advisory ID: RHSA-2020:2529-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2529 Issue date: 2020-06-11 CVE Names: CVE-2020-9484 ==================================================================== 1. Summary:
An update for tomcat6 is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch
- Description:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
- tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
- Package List:
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source: tomcat6-6.0.24-115.el6_10.src.rpm
noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source: tomcat6-6.0.24-115.el6_10.src.rpm
noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: tomcat6-6.0.24-115.el6_10.src.rpm
noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
noarch: tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: tomcat6-6.0.24-115.el6_10.src.rpm
noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
noarch: tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXuIAOtzjgjWX9erEAQircxAAiJgOBZ2LET65r7XgAUP0MKNR8/ftKZkx VCnUU/yGylYEi5x7PODw8u/wGpmgbaC6rOfsHOETf/SEeUII2CgBUrK4A84/+ySc hxxUZJYJju5F2GcUsneictfVRJhdgehZuD/1Xa8M+x39TwAOqEH6U6+lKjZjCZCE oGLm8zXXePN21rsuF342CsI1/Z0ecCbYZgsIbvNksmtFWkqAsoprJNOJX7mz8QSd wd/mo85aWcL3e3EO9hClLD6wsX4UiiEn6zkuWgtucgqhaX8DnCwRh6aRHvHZBUtO TC+F2gmxl6jqFqK3Yy9Q7VYY5Cf7eeePzDgIVdPOuNuxNQh1y6QIPe+rt1WqNhaF +p+WgjB1GTRoUIQKQ3XwvI4zBypD01ZnZLUicUBMhenOBm8DfeYZ4UusMrJi3AVs rj7ElHVQtBT5S2SkF7RJGPcFV6/UY0XatHHZMZ19ugwiOED+uCpCO3EH/lQbAOLf Ei5Wb6a9uyNGfp/qFuHPzQzGlYr3EVwiv6EL0ME8tclXzV38LWEllQHAAkjGrYv/ xPDFbY4uvK9w26hQyqElycB4wJcn6c3i5D05TDUg92fE+TQ5O9nFlcDV3E+VafoZ sP45dVLPlUh307m/OhCgctbqLcnLef/mQJrUzwc3FR6/AI+R5WAekP47OEJd/Min JP21Ib3I3uM=oD9n -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update. (CVE-2020-11996)
It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/2. (CVE-2020-13934)
It was discovered that Tomcat did not properly validate the payload length in a WebSocket frame. (CVE-2020-13935)
It was discovered that Tomcat did not properly deserialize untrusted data.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/tomcat < 7.0.104:7 >= 7.0.104:7 < 8.5.55:8.5 >= 8.5.55:8.5
Description
Apache Tomcat improperly handles deserialization of files under specific circumstances.
Workaround
There is no known workaround at this time.
Resolution
All Apache Tomcat 7.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.104"
All Apache Tomcat 8.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.55"
References
[ 1 ] CVE-2020-9484 https://nvd.nist.gov/vuln/detail/CVE-2020-9484 [ 2 ] Upstream advisory (7) https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104 [ 3 ] Upstream advisory (8.5) https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202006-21
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202005-1052",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "epolicy orchestrator",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "5.9.1"
},
{
"model": "epolicy orchestrator",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "5.10.0"
},
{
"model": "communications cloud native core binding support function",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.10.0"
},
{
"model": "tomcat",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.108"
},
{
"model": "communications session route manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "instantis enterprisetrack",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1"
},
{
"model": "agile engineering data management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "6.2.1.0"
},
{
"model": "hospitality guest access",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "4.2.1"
},
{
"model": "communications session route manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"model": "epolicy orchestrator",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "5.9.0"
},
{
"model": "tomcat",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "7.0.0"
},
{
"model": "retail order broker",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0"
},
{
"model": "transportation management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "6.3.7"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "database",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "21c"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "9.0.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "communications diameter signaling router",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.4.0.5"
},
{
"model": "workload manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18c"
},
{
"model": "communications session report manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.0"
},
{
"model": "communications instant messaging server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.0.1.4.0"
},
{
"model": "fmw platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "communications session report manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"model": "tomcat",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "9.0.43"
},
{
"model": "fmw platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "tomcat",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "10.0.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "31"
},
{
"model": "communications element manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.0"
},
{
"model": "siebel apps - marketing",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "21.9"
},
{
"model": "agile plm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.3.3"
},
{
"model": "communications element manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"model": "workload manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.0.1"
},
{
"model": "workload manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19c"
},
{
"model": "agile plm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.3.6"
},
{
"model": "communications diameter signaling router",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0.0"
},
{
"model": "agile plm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.3.5"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "tomcat",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "8.5.0"
},
{
"model": "hospitality guest access",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "4.2.0"
},
{
"model": "mysql enterprise monitor",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.21"
},
{
"model": "tomcat",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "9.0.1"
},
{
"model": "managed file transfer",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "managed file transfer",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "20.04"
},
{
"model": "siebel ui framework",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "20.12"
},
{
"model": "tomcat",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "8.5.63"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "database",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.0.1"
},
{
"model": "communications cloud native core policy",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.14.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "instantis enterprisetrack",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.3"
},
{
"model": "database",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19c"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubuntu",
"sources": [
{
"db": "PACKETSTORM",
"id": "179893"
},
{
"db": "PACKETSTORM",
"id": "158761"
},
{
"db": "PACKETSTORM",
"id": "159666"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
}
],
"trust": 0.9
},
"cve": "CVE-2020-9484",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"id": "CVE-2020-9484",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.4,
"id": "VHN-187609",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.0,
"id": "CVE-2020-9484",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-9484",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202005-1078",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-187609",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-9484",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-187609"
},
{
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
},
{
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. The program implements support for Servlet and JavaServer Page (JSP). The following products and versions are affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to Version 7.0.103. A deserialization flaw exists in Apache Tomcat\u0027s use of a FileStore. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484)\nThe fix for CVE-2020-9484 was incomplete. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329). \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 9.0.31-1~deb10u2. \n\nWe recommend that you upgrade your tomcat9 packages. \n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8R6BwACgkQEMKTtsN8\nTjbUrw//fOLw1bfjQwHr4fug5xgGtIjccQvMgZ6r4jVWDNUWGns/n0HBIg7IFANW\n1LTBXunNygapGke96Cexs/mimcs47wr9Xj6B9R7935NgF7dbXiDPhX99fmMSu4qE\nmpt9GmynGSOqr2qt+bHMZSIrZ2rpT/WoDbmnVvK0h30Il7VZ2pMEbzq7gd7sfsbO\n0FbQr9kza5d5kvih7DLfq/7plhLouyUhzAab3UUJvI1B3ASD4pfEFDSmBJusHJGG\n2CTtrO8IFUyYW0ev4/I2KT6rrFiXccEtFhUlpU09SLpy96FP161UVoHILkPHhfqI\n9XILKEf0mKVlDfq5q2TOY5WVl8palc5o/Z3xefO4/wZc7/qNNnyzwcNHl6s14czv\nREID8Llfbro3/XWHkwLXPNFr1VzYXZSX1XhTwKWPWaH+L5WsUSr5uryqIUvSQ96L\ntTWv3G7KZDwVlio1XJ1t7ZxMkKqEBjvucShFgaOIw1nVD1IrssMKMz9UJQCd4fH5\nRtUakyBzUuPbAhUcunMj23n2slZ9WbCANIGKy56O6R71rYI9mYOG2nF2IuUct/F2\niG3/SLJCe2ghVx2Lgz8/nBhZfPEF5FZ2kPHb9KpjjyZ+vl8ZXH83heaYDlDAknXS\nbTsyFezxJiAwaa9xozjItZPdIBFP9lG8Txmv1AotH7WV/8dRsOU=\n=E8Ei\n-----END PGP SIGNATURE-----\n. ==========================================================================\nUbuntu Security Notice USN-6943-1\nAugust 01, 2024\n\ntomcat8, tomcat9 vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.04 LTS\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Tomcat. A remote attacker could\npossibly use this issue to execute arbitrary code. This issue only affected\ntomcat8 for Ubuntu 18.04 LTS (CVE-2020-9484)\n\nIt was discovered that Tomcat incorrectly handled certain HTTP/2 connection\nrequests. A remote attacker could use this issue to obtain wrong responses\npossibly containing sensitive information. This issue only affected tomcat8\nfor Ubuntu 18.04 LTS (CVE-2021-25122)\n\nThomas Wozenilek discovered that Tomcat incorrectly handled certain TLS\n\n\npackets. A remote attacker could possibly use this issue to cause a denial\nof service. This issue only affected tomcat8 for Ubuntu 18.04 LTS\n(CVE-2021-41079)\n\nTrung Pham discovered that a race condition existed in Tomcat when handling\nsession files with FileStore. A remote attacker could possibly use this\nissue to execute arbitrary code. This issue affected tomcat8 for Ubuntu\n16.04 LTS and Ubuntu 18.04 LTS, and tomcat9 for Ubuntu 18.04 LTS and Ubuntu\n20.04 LTS (CVE-2022-23181)\n\nIt was discovered that Tomcat\u0027s documentation incorrectly stated that\nEncryptInterceptor provided availability protection when running over an\nuntrusted network. A remote attacker could possibly use this issue to cause\na denial of service even if EncryptInterceptor was being used. This issue\naffected tomcat8 for Ubuntu 18.04 LTS, and tomcat9 for Ubuntu 18.04 LTS,\nUbuntu 20.04 LTS and Ubuntu 22.04 LTS (CVE-2022-29885)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.04 LTS\n tomcat9-docs 9.0.58-1ubuntu0.1+esm2\n Available with Ubuntu Pro\n\nUbuntu 20.04 LTS\n libtomcat9-java 9.0.31-1ubuntu0.6\n tomcat9 9.0.31-1ubuntu0.6\n tomcat9-docs 9.0.31-1ubuntu0.6\n\nUbuntu 18.04 LTS\n libtomcat8-java 8.5.39-1ubuntu1~18.04.3+esm2\n Available with Ubuntu Pro\n libtomcat9-java 9.0.16-3ubuntu0.18.04.2+esm2\n Available with Ubuntu Pro\n tomcat8 8.5.39-1ubuntu1~18.04.3+esm2\n Available with Ubuntu Pro\n tomcat8-docs 8.5.39-1ubuntu1~18.04.3+esm2\n Available with Ubuntu Pro\n tomcat9 9.0.16-3ubuntu0.18.04.2+esm2\n Available with Ubuntu Pro\n tomcat9-docs 9.0.16-3ubuntu0.18.04.2+esm2\n Available with Ubuntu Pro\n\nUbuntu 16.04 LTS\n libtomcat8-java 8.0.32-1ubuntu1.13+esm1\n Available with Ubuntu Pro\n tomcat8 8.0.32-1ubuntu1.13+esm1\n Available with Ubuntu Pro\n\nIn general, a standard system update will make all the necessary changes. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library. \n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a\nreplacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which\nare documented in the Release Notes document linked to in the References. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: tomcat6 security update\nAdvisory ID: RHSA-2020:2529-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2529\nIssue date: 2020-06-11\nCVE Names: CVE-2020-9484\n====================================================================\n1. Summary:\n\nAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Desktop Optional (v. 6) - noarch\nRed Hat Enterprise Linux HPC Node Optional (v. 6) - noarch\nRed Hat Enterprise Linux Server (v. 6) - noarch\nRed Hat Enterprise Linux Server Optional (v. 6) - noarch\nRed Hat Enterprise Linux Workstation (v. 6) - noarch\nRed Hat Enterprise Linux Workstation Optional (v. 6) - noarch\n\n3. Description:\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies. \n\nSecurity Fix(es):\n\n* tomcat: deserialization flaw in session persistence storage leading to\nRCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop Optional (v. 6):\n\nSource:\ntomcat6-6.0.24-115.el6_10.src.rpm\n\nnoarch:\ntomcat6-6.0.24-115.el6_10.noarch.rpm\ntomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm\ntomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm\ntomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm\ntomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-lib-6.0.24-115.el6_10.noarch.rpm\ntomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-webapps-6.0.24-115.el6_10.noarch.rpm\n\nRed Hat Enterprise Linux HPC Node Optional (v. 6):\n\nSource:\ntomcat6-6.0.24-115.el6_10.src.rpm\n\nnoarch:\ntomcat6-6.0.24-115.el6_10.noarch.rpm\ntomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm\ntomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm\ntomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm\ntomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-lib-6.0.24-115.el6_10.noarch.rpm\ntomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-webapps-6.0.24-115.el6_10.noarch.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\ntomcat6-6.0.24-115.el6_10.src.rpm\n\nnoarch:\ntomcat6-6.0.24-115.el6_10.noarch.rpm\ntomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-lib-6.0.24-115.el6_10.noarch.rpm\ntomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\nnoarch:\ntomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm\ntomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm\ntomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm\ntomcat6-webapps-6.0.24-115.el6_10.noarch.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\ntomcat6-6.0.24-115.el6_10.src.rpm\n\nnoarch:\ntomcat6-6.0.24-115.el6_10.noarch.rpm\ntomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm\ntomcat6-lib-6.0.24-115.el6_10.noarch.rpm\ntomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\nnoarch:\ntomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm\ntomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm\ntomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm\ntomcat6-webapps-6.0.24-115.el6_10.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-9484\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXuIAOtzjgjWX9erEAQircxAAiJgOBZ2LET65r7XgAUP0MKNR8/ftKZkx\nVCnUU/yGylYEi5x7PODw8u/wGpmgbaC6rOfsHOETf/SEeUII2CgBUrK4A84/+ySc\nhxxUZJYJju5F2GcUsneictfVRJhdgehZuD/1Xa8M+x39TwAOqEH6U6+lKjZjCZCE\noGLm8zXXePN21rsuF342CsI1/Z0ecCbYZgsIbvNksmtFWkqAsoprJNOJX7mz8QSd\nwd/mo85aWcL3e3EO9hClLD6wsX4UiiEn6zkuWgtucgqhaX8DnCwRh6aRHvHZBUtO\nTC+F2gmxl6jqFqK3Yy9Q7VYY5Cf7eeePzDgIVdPOuNuxNQh1y6QIPe+rt1WqNhaF\n+p+WgjB1GTRoUIQKQ3XwvI4zBypD01ZnZLUicUBMhenOBm8DfeYZ4UusMrJi3AVs\nrj7ElHVQtBT5S2SkF7RJGPcFV6/UY0XatHHZMZ19ugwiOED+uCpCO3EH/lQbAOLf\nEi5Wb6a9uyNGfp/qFuHPzQzGlYr3EVwiv6EL0ME8tclXzV38LWEllQHAAkjGrYv/\nxPDFbY4uvK9w26hQyqElycB4wJcn6c3i5D05TDUg92fE+TQ5O9nFlcDV3E+VafoZ\nsP45dVLPlUh307m/OhCgctbqLcnLef/mQJrUzwc3FR6/AI+R5WAekP47OEJd/Min\nJP21Ib3I3uM=oD9n\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. (CVE-2020-11996)\n\nIt was discovered that Tomcat did not properly release the HTTP/1.1\nprocessor after the upgrade to HTTP/2. (CVE-2020-13934)\n\nIt was discovered that Tomcat did not properly validate the payload\nlength in a WebSocket frame. (CVE-2020-13935)\n\nIt was discovered that Tomcat did not properly deserialize untrusted\ndata. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 www-servers/tomcat \u003c 7.0.104:7 \u003e= 7.0.104:7 \n \u003c 8.5.55:8.5 \u003e= 8.5.55:8.5 \n\nDescription\n===========\n\nApache Tomcat improperly handles deserialization of files under\nspecific circumstances. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Apache Tomcat 7.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-7.0.104\"\n\nAll Apache Tomcat 8.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/tomcat-8.5.55\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-9484\n https://nvd.nist.gov/vuln/detail/CVE-2020-9484\n[ 2 ] Upstream advisory (7)\n https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104\n[ 3 ] Upstream advisory (8.5)\n https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202006-21\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2020 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-9484"
},
{
"db": "VULHUB",
"id": "VHN-187609"
},
{
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"db": "PACKETSTORM",
"id": "168857"
},
{
"db": "PACKETSTORM",
"id": "179893"
},
{
"db": "PACKETSTORM",
"id": "158029"
},
{
"db": "PACKETSTORM",
"id": "158050"
},
{
"db": "PACKETSTORM",
"id": "158761"
},
{
"db": "PACKETSTORM",
"id": "158034"
},
{
"db": "PACKETSTORM",
"id": "158032"
},
{
"db": "PACKETSTORM",
"id": "159666"
},
{
"db": "PACKETSTORM",
"id": "158103"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-187609",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-187609"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-9484",
"trust": 2.7
},
{
"db": "MCAFEE",
"id": "SB10332",
"trust": 1.7
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/01/2",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "157924",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "158761",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "159666",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "158050",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "158103",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "167841",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "158621",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.2554",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.0742",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0993",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.0938",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2110",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2046",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1887",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2447",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3547",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3628",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.1404",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1793",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2362",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2261",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.1130",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2670",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2089",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2731",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1837",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "46749",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022040522",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021072123",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021063003",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022030854",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "158029",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158032",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158034",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158030",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158049",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-98234",
"trust": 0.1
},
{
"db": "CNVD",
"id": "CNVD-2020-34449",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-187609",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-9484",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168857",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "179893",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-187609"
},
{
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"db": "PACKETSTORM",
"id": "168857"
},
{
"db": "PACKETSTORM",
"id": "179893"
},
{
"db": "PACKETSTORM",
"id": "158029"
},
{
"db": "PACKETSTORM",
"id": "158050"
},
{
"db": "PACKETSTORM",
"id": "158761"
},
{
"db": "PACKETSTORM",
"id": "158034"
},
{
"db": "PACKETSTORM",
"id": "158032"
},
{
"db": "PACKETSTORM",
"id": "159666"
},
{
"db": "PACKETSTORM",
"id": "158103"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
},
{
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"id": "VAR-202005-1052",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-187609"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-29T21:52:14.014000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache Tomcat Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=120592"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 5.3.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20202509 - Security Advisory"
},
{
"title": "Red Hat: Important: tomcat security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20202530 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 5.3.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20202506 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20202487 - Security Advisory"
},
{
"title": "Red Hat: Important: tomcat6 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20202529 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20202483 - Security Advisory"
},
{
"title": "Debian CVElist Bug Report Logs: tomcat9: CVE-2020-9484",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=cc55062b1693f83a222063668ffd932c"
},
{
"title": "Red Hat: Important: Red Hat support for Spring Boot 2.1.15 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203017 - Security Advisory"
},
{
"title": "Amazon Linux AMI: ALAS-2020-1389",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2020-1389"
},
{
"title": "Amazon Linux AMI: ALAS-2020-1390",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2020-1390"
},
{
"title": "Arch Linux Advisories: [ASA-202006-5] tomcat8: arbitrary code execution",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202006-5"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1449",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2020-1449"
},
{
"title": "Arch Linux Advisories: [ASA-202006-7] tomcat9: arbitrary code execution",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202006-7"
},
{
"title": "Arch Linux Advisories: [ASA-202005-19] tomcat7: arbitrary code execution",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202005-19"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1493",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1493"
},
{
"title": "Amazon Linux 2: ALASTOMCAT8.5-2023-008",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALASTOMCAT8.5-2023-008"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1491",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1491"
},
{
"title": "Arch Linux Advisories: [ASA-202005-18] tomcat9: arbitrary code execution",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202005-18"
},
{
"title": "Arch Linux Advisories: [ASA-202006-6] tomcat7: arbitrary code execution",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202006-6"
},
{
"title": "Arch Linux Advisories: [ASA-202005-20] tomcat8: arbitrary code execution",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202005-20"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2020-9484 log"
},
{
"title": "Debian Security Advisories: DSA-4727-1 tomcat9 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=948379f644728cd78397969845b23817"
},
{
"title": "Debian Security Advisories: DSA-5265-1 tomcat9 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=5ff46eee51fe9c568d7579825e9f7646"
},
{
"title": "Ubuntu Security Notice: USN-5360-1: Tomcat vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-5360-1"
},
{
"title": "Amazon Linux 2: ALASTOMCAT8.5-2023-009",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALASTOMCAT8.5-2023-009"
},
{
"title": "IBM: Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=b4bdf241c7e678e09423e98e7d3134b8"
},
{
"title": "IBM: Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=6625900b3dffe0c4351300480ad4824f"
},
{
"title": "Red Hat: Important: Red Hat Fuse 7.11.0 release and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225532 - Security Advisory"
},
{
"title": "https://github.com/osamahamad/CVE-2020-9484-Mass-Scan",
"trust": 0.1,
"url": "https://github.com/osamahamad/CVE-2020-9484-Mass-Scan "
},
{
"title": "https://github.com/anjai94/CVE-2020-9484-exploit",
"trust": 0.1,
"url": "https://github.com/anjai94/CVE-2020-9484-exploit "
},
{
"title": "CVE-2020-9484",
"trust": 0.1,
"url": "https://github.com/DXY0411/CVE-2020-9484 "
},
{
"title": "CVE-2020-9484",
"trust": 0.1,
"url": "https://github.com/AssassinUKG/CVE-2020-9484 "
},
{
"title": "summary",
"trust": 0.1,
"url": "https://github.com/Catbamboo/Catbamboo.github.io "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-502",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-187609"
},
{
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "http://packetstormsecurity.com/files/157924/apache-tomcat-cve-2020-9484-proof-of-concept.html"
},
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202006-21"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20200528-0005/"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2020/jun/6"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3cannounce.tomcat.apache.org%3e"
},
{
"trust": 1.7,
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2021/03/01/2"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html"
},
{
"trust": 1.7,
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"trust": 1.7,
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"trust": 1.6,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10332"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9484"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/security/cve/cve-2020-9484"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3ccommits.tomee.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3cusers.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cusers.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3ccommits.tomee.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cannounce.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cannounce.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3ccommits.tomee.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3cusers.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3cusers.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3ccommits.tomee.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3cusers.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3ccommits.tomee.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3cusers.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wj7xhkwjwdnwxujh6ub7cliw4twoz26n/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/giqhxentlyunoes4lxvnj2ncuqqrf5vj/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wj7xhkwjwdnwxujh6ub7cliw4twoz26n/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/giqhxentlyunoes4lxvnj2ncuqqrf5vj/"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cannounce.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cannounce.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3cdev.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3cusers.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@%3cusers.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cusers.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3cusers.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3cusers.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3cusers.tomcat.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3@%3ccommits.tomee.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119@%3ccommits.tomee.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c@%3ccommits.tomee.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3ccommits.tomee.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c@%3ccommits.tomee.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.0938"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3547/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3628/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/46749"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2089/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2110/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2362/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158050/red-hat-security-advisory-2020-2529-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021072123"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022040522"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2554/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2447/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.1130"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vulnerabilities-affect-ibm-control-center/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1837/"
},
{
"trust": 0.6,
"url": "https://www.oracle.com/security-alerts/cpujul2021.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2261"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-tomcat-code-execution-via-persistencemanager-32313"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1887/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.1404"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-vulnerabilities-affect-ibm-watson-text-to-speech-and-speech-to-text-ibm-watson-speech-services-for-cloud-pak-for-data-1-2-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0993"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1793/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158621/red-hat-security-advisory-2020-3017-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2046/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2670/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.0742"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158103/gentoo-linux-security-advisory-202006-21.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021063003"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2731"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158761/ubuntu-security-notice-usn-4448-1.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159666/ubuntu-security-notice-usn-4596-1.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022030854"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/167841/red-hat-security-advisory-2022-5532-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-tomcat-affects-ibm-platform-symphony-3/"
},
{
"trust": 0.4,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.4,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13935"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11996"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13934"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10332"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/tomcat9"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-6943-1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23181"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29885"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41079"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-25122"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.6"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2483"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2529"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.13"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4448-1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1935"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2509"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver\u0026downloadtype=securitypatches\u0026version=5.3"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2506"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4596-1"
},
{
"trust": 0.1,
"url": "https://tomcat.apache.org/security-7.html#fixed_in_apache_tomcat_7.0.104"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://tomcat.apache.org/security-8.html#fixed_in_apache_tomcat_8.5.55"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-187609"
},
{
"db": "PACKETSTORM",
"id": "168857"
},
{
"db": "PACKETSTORM",
"id": "179893"
},
{
"db": "PACKETSTORM",
"id": "158029"
},
{
"db": "PACKETSTORM",
"id": "158050"
},
{
"db": "PACKETSTORM",
"id": "158761"
},
{
"db": "PACKETSTORM",
"id": "158034"
},
{
"db": "PACKETSTORM",
"id": "158032"
},
{
"db": "PACKETSTORM",
"id": "159666"
},
{
"db": "PACKETSTORM",
"id": "158103"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
},
{
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-187609"
},
{
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"db": "PACKETSTORM",
"id": "168857"
},
{
"db": "PACKETSTORM",
"id": "179893"
},
{
"db": "PACKETSTORM",
"id": "158029"
},
{
"db": "PACKETSTORM",
"id": "158050"
},
{
"db": "PACKETSTORM",
"id": "158761"
},
{
"db": "PACKETSTORM",
"id": "158034"
},
{
"db": "PACKETSTORM",
"id": "158032"
},
{
"db": "PACKETSTORM",
"id": "159666"
},
{
"db": "PACKETSTORM",
"id": "158103"
},
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
},
{
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-20T00:00:00",
"db": "VULHUB",
"id": "VHN-187609"
},
{
"date": "2020-05-20T00:00:00",
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"date": "2020-07-28T19:12:00",
"db": "PACKETSTORM",
"id": "168857"
},
{
"date": "2024-08-02T16:04:27",
"db": "PACKETSTORM",
"id": "179893"
},
{
"date": "2020-06-11T16:32:58",
"db": "PACKETSTORM",
"id": "158029"
},
{
"date": "2020-06-11T16:36:37",
"db": "PACKETSTORM",
"id": "158050"
},
{
"date": "2020-08-05T15:19:31",
"db": "PACKETSTORM",
"id": "158761"
},
{
"date": "2020-06-11T16:33:52",
"db": "PACKETSTORM",
"id": "158034"
},
{
"date": "2020-06-11T16:33:22",
"db": "PACKETSTORM",
"id": "158032"
},
{
"date": "2020-10-21T15:52:39",
"db": "PACKETSTORM",
"id": "159666"
},
{
"date": "2020-06-16T00:56:11",
"db": "PACKETSTORM",
"id": "158103"
},
{
"date": "2020-05-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202005-1078"
},
{
"date": "2020-05-20T19:15:09.257000",
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-07-25T00:00:00",
"db": "VULHUB",
"id": "VHN-187609"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2020-9484"
},
{
"date": "2023-07-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202005-1078"
},
{
"date": "2024-11-21T05:40:44.420000",
"db": "NVD",
"id": "CVE-2020-9484"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache Tomcat Code problem vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202005-1078"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.