High severityNVD Advisory· Published May 12, 2022· Updated Aug 3, 2024
EncryptInterceptor does not provide complete protection on insecure networks
CVE-2022-29885
Description
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.0-M15 | 10.1.0-M15 |
org.apache.tomcat:tomcatMaven | >= 10.0.0-M1, < 10.0.21 | 10.0.21 |
org.apache.tomcat:tomcatMaven | >= 9.0.13, < 9.0.63 | 9.0.63 |
org.apache.tomcat:tomcatMaven | >= 8.5.38, < 8.5.79 | 8.5.79 |
Affected products
3- osv-coords2 versions
>= 8.5.38, < 8.5.79+ 1 more
- (no CPE)range: >= 8.5.38, < 8.5.79
- (no CPE)range: >= 10.1.0-M1, < 10.1.0-M15
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-r84p-88g2-2vx2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29885ghsaADVISORY
- www.debian.org/security/2022/dsa-5265ghsavendor-advisoryWEB
- github.com/apache/tomcat/commit/0fa7721f11d565a2cd2e44366c388ad6a3e6357dghsaWEB
- github.com/apache/tomcat/commit/36826ea638457d7e17876a70f89cb435b6db0d91ghsaWEB
- github.com/apache/tomcat/commit/b679bc627f5a4ea6510af95adfb7476b07eba890ghsaWEB
- github.com/apache/tomcat/commit/eaafd28296c54d983e28a47953c1f5cb2c334f48ghsaWEB
- lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcvghsaWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlghsamailing-listWEB
- security.netapp.com/advisory/ntap-20220629-0002ghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.htmlmitre
- security.netapp.com/advisory/ntap-20220629-0002/mitre
News mentions
0No linked articles in our index yet.