CVE-2022-29885

HIGH

Apache Tomcat < 8.5.78 - Denial of Service

Title source: rule

Description

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Exploits (4)

exploitdb WORKING POC
by Cristian Giustini · pythondosmultiple
https://www.exploit-db.com/exploits/51262
nomisec WORKING POC 5 stars
by quynhlab · poc
https://github.com/quynhlab/CVE-2022-29885
nomisec WORKING POC 4 stars
by iveresk · poc
https://github.com/iveresk/CVE-2022-29885

References (6)

Scores

CVSS v3 7.5
EPSS 0.5553
EPSS Percentile 98.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (6)
apache/tomcat 10.1.0 milestone1 (14 CPE variants)
apache/tomcat 8.5.38 - 8.5.78
debian/debian_linux 10.0
debian/debian_linux 11.0
oracle/hospitality_cruise_shipboard_property_management_system 20.2.1
org.apache.tomcat/tomcat 10.1.0-M1 - 10.1.0-M15Maven
Published May 12, 2022
Tracked Since Feb 18, 2026