PT-2020-3309 · Apache+6 · Apache Tomcat+6

Published

2019-09-10

·

Updated

2025-12-10

·

CVE-2020-9484

CVSS v3.1

7.0

High

VectorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 10.0.0-M1 through 10.0.0-M4 Apache Tomcat versions 9.0.0.M1 through 9.0.34 Apache Tomcat versions 8.5.0 through 8.5.54 Apache Tomcat versions 7.0.0 through 7.0.103
Description The issue is related to the deserialization of untrusted data in the PersistenceManager component of Apache Tomcat, which can lead to remote code execution. For the attack to succeed, an attacker must be able to control the contents and name of a file on the server, the server must be configured to use the PersistenceManager with a FileStore, the PersistenceManager must be configured with a sufficiently lax filter to allow the attacker-provided object to be deserialized, and the attacker must know the relative file path from the storage location used by FileStore to the file the attacker has control over. Using a specifically crafted request, the attacker can trigger remote code execution via deserialization of the file under their control.
Recommendations For Apache Tomcat versions 10.0.0-M1 through 10.0.0-M4, upgrade to version 10.0.0-M5 or later. For Apache Tomcat versions 9.0.0.M1 through 9.0.34, upgrade to version 9.0.35 or later. For Apache Tomcat versions 8.5.0 through 8.5.54, upgrade to version 8.5.55 or later, or configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application-provided attributes are serialized and deserialized. For Apache Tomcat versions 7.0.0 through 7.0.103, upgrade to version 7.0.104 or later.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2019_2720
ALSA-2019_3335
ALSA-2019_3735
ALSA-2019_3736
ALSA-2020_1644
ALSA-2020_3662
ALSA-2020_4670
ALSA-2020_4751
ALSA-2020_4952
ALSA-2020_5499
ALSA-2021_0551
ALSA-2021_0558
ALSA-2021_1242
ALSA-2021_1578
ALSA-2021_1647
ALSA-2021_1761
ALSA-2021_1846
ALSA-2021_1879
ALSA-2021_2569
ALSA-2021_2584
ALSA-2021_2587
ALSA-2021_2588
ALSA-2021_2714
ALSA-2021_3020
ALSA-2021_3057
ALSA-2021_3623
ALSA-2021_3666
ALSA-2021_3816
ALSA-2021_4142
ALSA-2021_4151
ALSA-2021_4160
ALSA-2021_4161
ALSA-2021_4162
ALSA-2021_4226
ALSA-2021_4356
ALSA-2021_4368
ALSA-2021_4455
ALSA-2021_4647
ALSA-2022_0188
ALSA-2022_0258
ALSA-2022_0267
ALSA-2022_0332
ALSA-2022_0543
ALSA-2022_0545
ALSA-2022_0672
ALSA-2022_0818
ALSA-2022_0825
ALSA-2022_0845
ALSA-2022_1065
ALSA-2022_1287
ALSA-2022_1301
ALSA-2022_1550
ALSA-2022_1642
ALSA-2022_1762
ALSA-2022_1764
ALSA-2022_1819
ALSA-2022_1821
ALSA-2022_1988
ALSA-2022_2201
ALSA-2022_4769
ALSA-2022_4776
ALSA-2022_5249
ALSA-2022_5267
ALSA-2022_5316
ALSA-2022_5326
ALSA-2022_5344
ALSA-2022_5468
ALSA-2022_5716
ALSA-2022_5717
ALSA-2022_5779
ALSA-2022_5818
ALSA-2022_5904
ALSA-2022_6180
ALSA-2022_6224
ALSA-2022_6447
ALSA-2022_6450
ALSA-2022_6457
ALSA-2022_6582
ALSA-2022_6595
ALSA-2022_6610
ALSA-2022_6708
ALSA-2022_6717
ALSA-2022_7106
ALSA-2022_7110
ALSA-2022_7134
ALSA-2022_7178
ALSA-2022_7190
ALSA-2022_7314
ALSA-2022_7326
ALSA-2022_7469
ALSA-2022_7470
ALSA-2022_7519
ALSA-2022_7529
ALSA-2022_7647
ALSA-2022_7793
ALSA-2022_7813
ALSA-2022_7954
ALSA-2022_8057
ALSA-2022_8067
ALSA-2022_8090
ALSA-2022_8291
ALSA-2022_8420
ALSA-2022_9058
ALSA-2023_0050
ALSA-2023_0282
ALSA-2023_0284
ALSA-2023_0848
ALSA-2023_0951
ALSA-2023_0965
ALSA-2023_0979
ALSA-2023_1566
ALSA-2023_1584
ALSA-2023_1670
ALSA-2023_1673
ALSA-2023_1691
ALSA-2023_1703
ALSA-2023_2167
ALSA-2023_2319
ALSA-2023_2373
ALSA-2023_2417
ALSA-2023_2645
ALSA-2023_2784
ALSA-2023_2859
ALSA-2023_2903
ALSA-2023_3245
ALSA-2023_3246
ALSA-2023_3349
ALSA-2023_3350
ALSA-2023_3708
ALSA-2023_3723
ALSA-2023_3821
ALSA-2023_4350
ALSA-2023_4412
ALSA-2023_4419
ALSA-2023_4517
ALSA-2023_4520
ALSA-2023_4541
ALSA-2023_5069
ALSA-2023_5091
ALSA-2023_5184
ALSA-2023_5200
ALSA-2023_5201
ALSA-2023_5214
ALSA-2023_5224
ALSA-2023_5244
ALSA-2023_5309
ALSA-2023_5434
ALSA-2023_5435
ALSA-2023_5537
ALSA-2023_5539
ALSA-2023_5708
ALSA-2023_5709
ALSA-2023_5710
ALSA-2023_5711
ALSA-2023_5712
ALSA-2023_5713
ALSA-2023_5721
ALSA-2023_5738
ALSA-2023_5749
ALSA-2023_5763
ALSA-2023_5765
ALSA-2023_5837
ALSA-2023_5838
ALSA-2023_5849
ALSA-2023_5850
ALSA-2023_5863
ALSA-2023_5867
ALSA-2023_5869
ALSA-2023_5924
ALSA-2023_5926
ALSA-2023_5927
ALSA-2023_5928
ALSA-2023_5929
ALSA-2023_5989
ALSA-2023_6077
ALSA-2023_6120
ALSA-2023_6420
ALSA-2023_6469
ALSA-2023_6570
ALSA-2023_6745
ALSA-2023_6746
ALSA-2023_7015
ALSA-2023_7025
ALSA-2023_7034
ALSA-2023_7042
ALSA-2023_7050
ALSA-2023_7065
ALSA-2023_7077
ALSA-2023_7205
ALSA-2023_7549
ALSA-2023_7762
ALSA-2023_7763
ALSA-2023_7764
ALSA-2023_7765
ALSA-2023_7766
ALSA-2024_0121
ALSA-2024_0125
ALSA-2024_0387
ALSA-2024_0474
ALSA-2024_0539
ALSA-2024_0606
ALSA-2024_0670
ALSA-2024_0748
ALSA-2024_0752
ALSA-2024_0889
ALSA-2024_0897
ALSA-2024_10281
ALSA-2024_10282
ALSA-2024_10869
ALSA-2024_10939
ALSA-2024_10943
ALSA-2024_10944
ALSA-2024_10952
ALSA-2024_1130
ALSA-2024_1134
ALSA-2024_11486
ALSA-2024_1431
ALSA-2024_1444
ALSA-2024_1576
ALSA-2024_1607
ALSA-2024_1786
ALSA-2024_1872
ALSA-2024_2132
ALSA-2024_2264
ALSA-2024_2348
ALSA-2024_2368
ALSA-2024_2394
ALSA-2024_2549
ALSA-2024_2564
ALSA-2024_2778
ALSA-2024_2779
ALSA-2024_2780
ALSA-2024_2853
ALSA-2024_2883
ALSA-2024_2888
ALSA-2024_2910
ALSA-2024_2950
ALSA-2024_2968
ALSA-2024_2987
ALSA-2024_3017
ALSA-2024_3102
ALSA-2024_3121
ALSA-2024_3138
ALSA-2024_3166
ALSA-2024_3254
ALSA-2024_3306
ALSA-2024_3307
ALSA-2024_3500
ALSA-2024_3546
ALSA-2024_3618
ALSA-2024_3619
ALSA-2024_3627
ALSA-2024_3666
ALSA-2024_3668
ALSA-2024_3670
ALSA-2024_3671
ALSA-2024_3783
ALSA-2024_3784
ALSA-2024_3826
ALSA-2024_3827
ALSA-2024_3838
ALSA-2024_3842
ALSA-2024_3968
ALSA-2024_4083
ALSA-2024_4084
ALSA-2024_4211
ALSA-2024_4249
ALSA-2024_4312
ALSA-2024_4349
ALSA-2024_4352
ALSA-2024_4499
ALSA-2024_4583
ALSA-2024_4720
ALSA-2024_4726
ALSA-2024_4928
ALSA-2024_5101
ALSA-2024_5102
ALSA-2024_5294
ALSA-2024_5338
ALSA-2024_5363
ALSA-2024_5814
ALSA-2024_5928
ALSA-2024_6147
ALSA-2024_6148
ALSA-2024_6567
ALSA-2024_6997
ALSA-2024_7000
ALSA-2024_7001
ALSA-2024_7958
ALSA-2024_7977
ALSA-2024_8024
ALSA-2024_8025
ALSA-2024_8162
ALSA-2024_8617
ALSA-2024_8856
ALSA-2024_8870
ALSA-2024_9181
ALSA-2024_9552
ALSA-2024_9554
ALSA-2024_9605
ALSA-2025_0401
ALSA-2025_0595
ALSA-2025_0693
ALSA-2025_10217
ALSA-2025_10669
ALSA-2025_1067
ALSA-2025_10670
ALSA-2025_1068
ALSA-2025_11298
ALSA-2025_11299
ALSA-2025_11333
ALSA-2025_11335
ALSA-2025_1210
ALSA-2025_1215
ALSA-2025_1300
ALSA-2025_1301
ALSA-2025_1306
ALSA-2025_1309
ALSA-2025_1314
ALSA-2025_1329
ALSA-2025_1338
ALSA-2025_1346
ALSA-2025_15471
ALSA-2025_15472
ALSA-2025_15661
ALSA-2025_15785
ALSA-2025_16398
ALSA-2025_16880
ALSA-2025_17760
ALSA-2025_17797
ALSA-2025_17812
ALSA-2025_18297
ALSA-2025_18298
ALSA-2025_19102
ALSA-2025_19103
ALSA-2025_19237
ALSA-2025_19238
ALSA-2025_19345
ALSA-2025_19409
ALSA-2025_19440
ALSA-2025_19447
ALSA-2025_19931
ALSA-2025_19932
ALSA-2025_20518
ALSA-2025_20926
ALSA-2025_20955
ALSA-2025_21916
ALSA-2025_22387
ALSA-2025_22388
ALSA-2025_22800
ALSA-2025_22801
ALSA-2025_23048
ALSA-2025_23049
ALSA-2025_2627
ALSA-2025_3645
ALSA-2025_3683
ALSA-2025_4488
ALSA-2025_7531
ALSA-2025_7532
ALSA-2025_7539
ALSA-2025_8056
ALSA-2025_8057
ALSA-2025_8246
ALSA-2025_8247
ALSA-2025_9580
ALSA-2025_9581
ALSA-2025_9880
ALT-PU-2021-1993
ALT-PU-2025-9146
BDU:2020-03620
BIT-TOMCAT-2020-9484
CESA-2020_2530
CVE-2020-9484
DLA-2209-1
DLA-2217-1
DLA-2279-1
DLA-2594-1
DLA-3160-1
DSA-4727-1
DSA-5265-1
ELSA-2020-2529
ELSA-2020-2530
GHSA-344F-F5VG-2JFJ
MGASA-2020-0277
OPENSUSE-SU-2020:0711-1
OPENSUSE-SU-2020_0711-1
OPENSUSE-SU-2021_0496-1
OPENSUSE-SU-2024:11468-1
OPENSUSE-SU-2024:13441-1
RHSA-2020:2483
RHSA-2020:2506
RHSA-2020:2529
RHSA-2020:2530
RHSA-2020_2529
RHSA-2020_2530
ROSA-SA-2023-2258
SUSE-SU-2020:1363-1
SUSE-SU-2020:1364-1
SUSE-SU-2020:1365-1
SUSE-SU-2020:14375-1
SUSE-SU-2020:1497-1
SUSE-SU-2020:1498-1
SUSE-SU-2020_1363-1
SUSE-SU-2020_1364-1
SUSE-SU-2020_1365-1
SUSE-SU-2020_14375-1
SUSE-SU-2020_1497-1
SUSE-SU-2020_1498-1
SUSE-SU-2021_0988-1
SUSE-SU-2021_0989-1
SUSE-SU-2021_1008-1
SUSE-SU-2021_1009-1
SUSE-SU-2021_1431-1
SUSE-SU-2021_14705-1
USN-4448-1
USN-4596-1
USN-5360-1
USN-6908-1
USN-6943-1

Affected Products

Alt Linux
Apache Tomcat
Centos
Linuxmint
Red Hat
Suse
Ubuntu