CVE-2022-23181

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.55 through 8.5.73 Apache Tomcat versions 9.0.35 through 9.0.56 Apache Tomcat versions 10.0.0-M5 through 10.0.14 Apache Tomcat versions 10.1.0-M1 through 10.1.0-M8

Description The issue is related to a time of check, time of use vulnerability in Apache Tomcat. This vulnerability can be exploited by a local attacker to perform actions with the privileges of the user that the Tomcat process is using. The issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. Exploitation of this vulnerability may allow an attacker to bypass security restrictions and elevate privileges, executing code with the privileges of the Tomcat process.

Recommendations For Apache Tomcat versions 8.5.55 through 8.5.73, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 9.0.35 through 9.0.56, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 10.0.0-M5 through 10.0.14, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 10.1.0-M1 through 10.1.0-M8, update to a version outside of this range to resolve the issue. As a temporary workaround, consider configuring Tomcat to not persist sessions using the FileStore until a patch is available.