Local privilege escalation with FileStore
Description
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A time-of-check time-of-use vulnerability in Apache Tomcat's FileStore session persistence allows a local attacker to escalate privileges to the Tomcat user.
Vulnerability
The fix for CVE-2020-9484 introduced a time-of-check, time-of-use (TOCTOU) vulnerability in Apache Tomcat's session persistence mechanism when using the FileStore. Affected versions include 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56, and 8.5.55 to 8.5.73. The issue is only exploitable when Tomcat is configured to persist sessions using the FileStore [1].
Exploitation
A local attacker with write access to the session storage directory can exploit the race window between the check and use of session files. The attacker must be able to create or modify files in the session store while Tomcat is processing a session. No authentication is required beyond local access to the file system [1].
Impact
Successful exploitation allows the attacker to perform actions with the privileges of the user that the Tomcat process is running as. This can lead to unauthorized access to sensitive data, modification of server configuration, or further compromise of the host system [1].
Mitigation
As of the publication date, no fixed version has been announced in the available references. The recommended workaround is to avoid using the FileStore for session persistence; instead, use the default in-memory store or a database-backed session store. If FileStore is necessary, restrict write access to the session storage directory to only the Tomcat user [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 10.0.0, < 10.0.16 | 10.0.16 |
org.apache.tomcat:tomcatMaven | >= 9.0.0, < 9.0.58 | 9.0.58 |
org.apache.tomcat:tomcatMaven | < 8.5.75 | 8.5.75 |
Affected products
44- osv-coords43 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/javapackages-tools&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/javapackages-tools&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/javapackages-tools&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/javapackages-tools&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/javapackages-tools&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/javapackages-tools&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 8.5.55, < 8.5.74+ 42 more
- (no CPE)range: >= 8.5.55, < 8.5.74
- (no CPE)range: >= 10.0.0, < 10.0.16
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.43-5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 5.3.1-14.5.1
- (no CPE)range: < 9.0.36-4.70.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-4.70.1
- (no CPE)range: < 9.0.36-4.70.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-3.90.1
- (no CPE)range: < 9.0.36-3.90.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-4.70.1
- (no CPE)range: < 9.0.36-4.70.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-3.90.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-3.90.1
- (no CPE)range: < 9.0.36-4.70.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-19.1
- (no CPE)range: < 9.0.36-3.84.1
- (no CPE)range: < 9.0.36-3.84.1
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-9f3j-pm6f-9fm5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23181ghsaADVISORY
- www.debian.org/security/2022/dsa-5265ghsavendor-advisoryWEB
- lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9ghsaWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20220217-0010ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20220217-0010/mitre
News mentions
0No linked articles in our index yet.