CVE-2022-25762

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.75 Apache Tomcat versions 9.0.0.M1 through 9.0.20

Description The issue is related to errors when a web application sends a WebSocket message concurrently with the WebSocket connection closing. This could cause the application to continue using the socket after it has been closed, leading to a pooled object being placed in the pool twice. As a result, subsequent connections may use the same object concurrently, potentially causing data to be returned to the wrong user and/or other errors.

Recommendations For Apache Tomcat versions 8.5.0 through 8.5.75, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.20, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling WebSocket functionality until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation.