QID 356300
Date Published: 2023-09-28
QID 356300: Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-009
A deserialization flaw was discovered in apache tomcat's use of a filestore.
Under specific circumstances, an attacker can use a specially crafted request to trigger remote code execution through deserialization of the file under their control.
The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (
( CVE-2020-9484) a flaw was found in apache tomcat.
When responding to new h2c connection requests, apache tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user a and user b could both see the results of user a's request.
The highest threat from this vulnerability is to data confidentiality. (
( CVE-2021-25122) the fix for( CVE-2020-9484 was incomplete.
When using apache tomcat 10.0.0-m1 to 10.0.0, 9.0.0.m1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0.
To 7.0.107 with a configuration edge case that was highly unlikely to be used, the tomcat instance was still vulnerable to( CVE-2020-9494.
Note that both the previously published prerequisites for( CVE-2020-9484 and the previously published mitigations for( CVE-2020-9484 also apply to this issue. (
( CVE-2021-25329)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
- ALASTOMCAT8.5-2023-009 -
alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-009.html
CVEs related to QID 356300
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALASTOMCAT8.5-2023-009 | amazon linux 2 |
alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-009.html |