CVE-2020-9484
Summary
| CVE | CVE-2020-9484 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-05-20 19:15:00 UTC |
| Updated | 2023-11-07 03:26:00 UTC |
| Description | When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. |
Risk And Classification
Problem Types: CWE-502
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 20.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Application | Mcafee | Epolicy Orchestrator | 5.10.0 | - | All | All |
| Application | Mcafee | Epolicy Orchestrator | 5.10.0 | update_1 | All | All |
| Application | Mcafee | Epolicy Orchestrator | 5.10.0 | update_2 | All | All |
| Application | Mcafee | Epolicy Orchestrator | 5.10.0 | update_3 | All | All |
| Application | Mcafee | Epolicy Orchestrator | 5.9.0 | All | All | All |
| Application | Mcafee | Epolicy Orchestrator | 5.9.1 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Application | Oracle | Agile Engineering Data Management | 6.2.1.0 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.3 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.5 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.6 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 1.14.0 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | All | All | All | All |
| Application | Oracle | Communications Element Manager | All | All | All | All |
| Application | Oracle | Communications Instant Messaging Server | 10.0.1.4.0 | All | All | All |
| Application | Oracle | Communications Session Report Manager | All | All | All | All |
| Application | Oracle | Communications Session Route Manager | All | All | All | All |
| Application | Oracle | Database | 12.2.0.1 | All | All | All |
| Application | Oracle | Database | 19c | All | All | All |
| Application | Oracle | Database | 21c | All | All | All |
| Application | Oracle | Fmw Platform | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Fmw Platform | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Hospitality Guest Access | 4.2.0 | All | All | All |
| Application | Oracle | Hospitality Guest Access | 4.2.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | All | All | All | All |
| Application | Oracle | Managed File Transfer | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Managed File Transfer | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Retail Order Broker | 15.0 | All | All | All |
| Application | Oracle | Siebel Apps - Marketing | All | All | All | All |
| Application | Oracle | Siebel Ui Framework | All | All | All | All |
| Application | Oracle | Transportation Management | 6.3.7 | All | All | All |
| Application | Oracle | Workload Manager | 12.2.0.1 | All | All | All |
| Application | Oracle | Workload Manager | 18c | All | All | All |
| Application | Oracle | Workload Manager | 19c | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MISC | lists.apache.org | Mailing List, Mitigation, Patch, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| USN-4596-1: Tomcat vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| [tomcat-users] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence) | lists.apache.org | ||
| [tomcat-users] 20210701 Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5 | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | Patch, Third Party Advisory |
| [SECURITY] Fedora 31 Update: tomcat-9.0.36-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 31 Update: tomcat-9.0.36-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence) | lists.apache.org | ||
| Apache Tomcat CVE-2020-9484 Proof Of Concept ≈ Packet Storm | MISC | packetstormsecurity.com | Third Party Advisory, VDB Entry |
| [security-announce] openSUSE-SU-2020:0711-1: important: Security update | SUSE | lists.opensuse.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | Patch, Third Party Advisory |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] [DLA 2217-1] tomcat7 security update | MLIST | lists.debian.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Exploit, Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 32 Update: tomcat-9.0.36-1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| [SECURITY] [DLA 2209-1] tomcat8 security update | MLIST | lists.debian.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Patch, Third Party Advisory |
| [tomcat-dev] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence) | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| [tomcat-users] 20210701 What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5 | lists.apache.org | ||
| USN-4448-1: Tomcat vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| [tomcat-dev] 20210712 svn commit: r1891484 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml | lists.apache.org | ||
| [SECURITY] [DLA 2279-1] tomcat8 security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| oss-security - CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484 | MLIST | www.openwall.com | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Vendor Advisory |
| Full Disclosure: [CVE-2020-9484] Apache Tomcat RCE via PersistentManager | FULLDISC | seclists.org | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| CVE-2020-9484 Apache Tomcat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Apache Tomcat: Remote code execution (GLSA 202006-21) — Gentoo security | GENTOO | security.gentoo.org | Third Party Advisory |
| [tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml | lists.apache.org | ||
| McAfee Security Bulletin - ePolicy Orchestrator update addresses multiple vulnerabilities (CVE-2020-7317, CVE-2020-7318, CVE-2020-13935, CVE-2020-9484, CVE-2020-14621, CVE-2020-14573, CVE-2020-14578, CVE-2020-14579, CVE-2020-14581, CVE-2020-2754, CVE-2020-2755, CVE-2020-2756, CVE-2020-2757, CVE-2020-2764, CVE-2020-2773) | CONFIRM | kc.mcafee.com | Third Party Advisory |
| [tomcat-users] 20210702 Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| [SECURITY] Fedora 32 Update: tomcat-9.0.36-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - July 2022 | N/A | www.oracle.com | |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | Patch, Third Party Advisory |
| Debian -- Security Information -- DSA-4727-1 tomcat9 | DEBIAN | www.debian.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 174905 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:0988-1)
- 174906 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:0989-1)
- 174912 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:1009-1)
- 174941 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:1008-1)
- 174964 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:1431-1)
- 178492 Debian Security Update for tomcat8 (DLA 2596-1)
- 181163 Debian Security Update for tomcat9 (DLA 3160-1)
- 181177 Debian Security Update for tomcat9 (DSA 5265-1)
- 198724 Ubuntu Security Notification for Tomcat Vulnerabilities (USN-5360-1)
- 20275 Oracle Database 18c Critical OJVM Patch Update - April 2021
- 20278 Oracle Database 19c Critical OJVM Patch Update - April 2021
- 296062 Oracle Solaris 11.4 Support Repository Update (SRU) 43.113.3 Missing (CPUJAN2022)
- 296074 Oracle Solaris 11.4 Support Repository Update (SRU) 22.69.4 Missing (CPUAPR2020)
- 352256 Amazon Linux Security Advisory for tomcat8: ALAS-2021-1491
- 352262 Amazon Linux Security Advisory for tomcat7: ALAS-2021-1493
- 352298 Amazon Linux Security Update for tomcat7: AL2012-2021-341
- 356283 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-008
- 356300 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-009
- 377006 Alibaba Cloud Linux Security Update for tomcat (ALINUX2-SA-2020:0099)
- 670219 EulerOS Security Update for tomcat (EulerOS-SA-2021-1856)
- 670309 EulerOS Security Update for tomcat (EulerOS-SA-2021-1915)
- 670333 EulerOS Security Update for tomcat (EulerOS-SA-2021-1891)
- 670677 EulerOS Security Update for tomcat (EulerOS-SA-2021-2435)
- 730510 Atlassian Jira Remote Code Execution (RCE) Vulnerability (JRASERVER-73223)
- 730575 Atlassian Jira Server and Data Center Multiple Servlet Apache Tomcat Vulnerability (JRASERVER-73739)
- 730646 Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)
- 730651 Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)
- 730656 Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)
- 730660 Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)
- 730662 Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)
- 730666 Apache Tomcat Local Privilege Escalation Vulnerability (CVE-2020-9484)
- 730668 Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)
- 750285 OpenSUSE Security Update for tomcat (openSUSE-SU-2021:0496-1)
- 982093 Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-344f-f5vg-2jfj)