High severityNVD Advisory· Published May 13, 2022· Updated Aug 3, 2024
Response mix-up with WebSocket concurrent send and close
CVE-2022-25762
Description
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.75 | 8.5.75 |
org.apache.tomcat:tomcatMaven | >= 9.0.0M1, < 9.0.20 | 9.0.20 |
Affected products
3- osv-coords2 versions
>= 8.5.0, < 8.5.76+ 1 more
- (no CPE)range: >= 8.5.0, < 8.5.76
- (no CPE)range: >= 8.5.0, < 8.5.75
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 9 9.0.0.M1 to 9.0.20
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-h3ch-5pp2-vh6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25762ghsaADVISORY
- lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7cghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220629-0003ghsaWEB
- security.netapp.com/advisory/ntap-20220629-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.