VYPR
High severityNVD Advisory· Published May 12, 2022· Updated Aug 3, 2024

EncryptInterceptor does not provide complete protection on insecure networks

CVE-2022-29885

Description

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 10.1.0-M1, < 10.1.0-M1510.1.0-M15
org.apache.tomcat:tomcatMaven
>= 10.0.0-M1, < 10.0.2110.0.21
org.apache.tomcat:tomcatMaven
>= 9.0.13, < 9.0.639.0.63
org.apache.tomcat:tomcatMaven
>= 8.5.38, < 8.5.798.5.79

Affected products

3
  • osv-coords2 versions
    >= 8.5.38, < 8.5.79+ 1 more
    • (no CPE)range: >= 8.5.38, < 8.5.79
    • (no CPE)range: >= 10.1.0-M1, < 10.1.0-M15
  • Apache Software Foundation/Apache Tomcatv5
    Range: Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14

Patches

Vulnerability mechanics

References

13

News mentions

0

No linked articles in our index yet.