ID

VAR-202005-1052


CVE

CVE-2020-9484


TITLE

Apache Tomcat Code problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202005-1078

DESCRIPTION

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. The program implements support for Servlet and JavaServer Page (JSP). The following products and versions are affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to Version 7.0.103. A deserialization flaw exists in Apache Tomcat's use of a FileStore. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484) The fix for CVE-2020-9484 was incomplete. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329). For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u2. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8R6BwACgkQEMKTtsN8 TjbUrw//fOLw1bfjQwHr4fug5xgGtIjccQvMgZ6r4jVWDNUWGns/n0HBIg7IFANW 1LTBXunNygapGke96Cexs/mimcs47wr9Xj6B9R7935NgF7dbXiDPhX99fmMSu4qE mpt9GmynGSOqr2qt+bHMZSIrZ2rpT/WoDbmnVvK0h30Il7VZ2pMEbzq7gd7sfsbO 0FbQr9kza5d5kvih7DLfq/7plhLouyUhzAab3UUJvI1B3ASD4pfEFDSmBJusHJGG 2CTtrO8IFUyYW0ev4/I2KT6rrFiXccEtFhUlpU09SLpy96FP161UVoHILkPHhfqI 9XILKEf0mKVlDfq5q2TOY5WVl8palc5o/Z3xefO4/wZc7/qNNnyzwcNHl6s14czv REID8Llfbro3/XWHkwLXPNFr1VzYXZSX1XhTwKWPWaH+L5WsUSr5uryqIUvSQ96L tTWv3G7KZDwVlio1XJ1t7ZxMkKqEBjvucShFgaOIw1nVD1IrssMKMz9UJQCd4fH5 RtUakyBzUuPbAhUcunMj23n2slZ9WbCANIGKy56O6R71rYI9mYOG2nF2IuUct/F2 iG3/SLJCe2ghVx2Lgz8/nBhZfPEF5FZ2kPHb9KpjjyZ+vl8ZXH83heaYDlDAknXS bTsyFezxJiAwaa9xozjItZPdIBFP9lG8Txmv1AotH7WV/8dRsOU= =E8Ei -----END PGP SIGNATURE----- . Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: tomcat6 security update Advisory ID: RHSA-2020:2529-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2529 Issue date: 2020-06-11 CVE Names: CVE-2020-9484 ==================================================================== 1. Summary: An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): * tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: tomcat6-6.0.24-115.el6_10.src.rpm noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: tomcat6-6.0.24-115.el6_10.src.rpm noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm Red Hat Enterprise Linux Server (v. 6): Source: tomcat6-6.0.24-115.el6_10.src.rpm noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): noarch: tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: tomcat6-6.0.24-115.el6_10.src.rpm noarch: tomcat6-6.0.24-115.el6_10.noarch.rpm tomcat6-el-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-115.el6_10.noarch.rpm tomcat6-lib-6.0.24-115.el6_10.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-115.el6_10.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): noarch: tomcat6-admin-webapps-6.0.24-115.el6_10.noarch.rpm tomcat6-docs-webapp-6.0.24-115.el6_10.noarch.rpm tomcat6-javadoc-6.0.24-115.el6_10.noarch.rpm tomcat6-webapps-6.0.24-115.el6_10.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuIAOtzjgjWX9erEAQircxAAiJgOBZ2LET65r7XgAUP0MKNR8/ftKZkx VCnUU/yGylYEi5x7PODw8u/wGpmgbaC6rOfsHOETf/SEeUII2CgBUrK4A84/+ySc hxxUZJYJju5F2GcUsneictfVRJhdgehZuD/1Xa8M+x39TwAOqEH6U6+lKjZjCZCE oGLm8zXXePN21rsuF342CsI1/Z0ecCbYZgsIbvNksmtFWkqAsoprJNOJX7mz8QSd wd/mo85aWcL3e3EO9hClLD6wsX4UiiEn6zkuWgtucgqhaX8DnCwRh6aRHvHZBUtO TC+F2gmxl6jqFqK3Yy9Q7VYY5Cf7eeePzDgIVdPOuNuxNQh1y6QIPe+rt1WqNhaF +p+WgjB1GTRoUIQKQ3XwvI4zBypD01ZnZLUicUBMhenOBm8DfeYZ4UusMrJi3AVs rj7ElHVQtBT5S2SkF7RJGPcFV6/UY0XatHHZMZ19ugwiOED+uCpCO3EH/lQbAOLf Ei5Wb6a9uyNGfp/qFuHPzQzGlYr3EVwiv6EL0ME8tclXzV38LWEllQHAAkjGrYv/ xPDFbY4uvK9w26hQyqElycB4wJcn6c3i5D05TDUg92fE+TQ5O9nFlcDV3E+VafoZ sP45dVLPlUh307m/OhCgctbqLcnLef/mQJrUzwc3FR6/AI+R5WAekP47OEJd/Min JP21Ib3I3uM=oD9n -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . (CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a reverse proxy, a remote attacker could possibly use this issue to perform HTTP Reqest Smuggling. (CVE-2020-1935) It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. ========================================================================== Ubuntu Security Notice USN-4596-1 October 21, 2020 tomcat9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Tomcat. An attacker could possibly use this to cause Tomcat to consume resources, resulting in a denial of service. (CVE-2020-11996) It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/2. An attacker could possibly use this to generate an OutOfMemoryException, resulting in a denial of service. (CVE-2020-13934) It was discovered that Tomcat did not properly validate the payload length in a WebSocket frame. An attacker could possibly use this to trigger an infinite loop, resulting in a denial of service. (CVE-2020-13935) It was discovered that Tomcat did not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-9484) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libtomcat9-embed-java 9.0.31-1ubuntu0.1 libtomcat9-java 9.0.31-1ubuntu0.1 tomcat9 9.0.31-1ubuntu0.1 tomcat9-common 9.0.31-1ubuntu0.1 In general, a standard system update will make all the necessary changes. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller 1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure 1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2046279 - CVE-2022-22932 karaf: path traversal flaws 2046282 - CVE-2021-41766 karaf: insecure java deserialization 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting 2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part 2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization 5

Trust: 1.89

sources: NVD: CVE-2020-9484 // VULHUB: VHN-187609 // VULMON: CVE-2020-9484 // PACKETSTORM: 168857 // PACKETSTORM: 179696 // PACKETSTORM: 158030 // PACKETSTORM: 158050 // PACKETSTORM: 158761 // PACKETSTORM: 158034 // PACKETSTORM: 158032 // PACKETSTORM: 159666 // PACKETSTORM: 167841

AFFECTED PRODUCTS

vendor:mcafeemodel:epolicy orchestratorscope:eqversion:5.9.1

Trust: 1.0

vendor:mcafeemodel:epolicy orchestratorscope:eqversion:5.10.0

Trust: 1.0

vendor:oraclemodel:communications cloud native core binding support functionscope:eqversion:1.10.0

Trust: 1.0

vendor:apachemodel:tomcatscope:ltversion:7.0.108

Trust: 1.0

vendor:oraclemodel:communications session route managerscope:gteversion:8.2.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:oraclemodel:instantis enterprisetrackscope:gteversion:17.1

Trust: 1.0

vendor:oraclemodel:agile engineering data managementscope:eqversion:6.2.1.0

Trust: 1.0

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2.1

Trust: 1.0

vendor:oraclemodel:communications session route managerscope:lteversion:8.2.2

Trust: 1.0

vendor:mcafeemodel:epolicy orchestratorscope:eqversion:5.9.0

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:7.0.0

Trust: 1.0

vendor:oraclemodel:retail order brokerscope:eqversion:15.0

Trust: 1.0

vendor:oraclemodel:transportation managementscope:eqversion:6.3.7

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:oraclemodel:databasescope:eqversion:21c

Trust: 1.0

vendor:apachemodel:tomcatscope:eqversion:9.0.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:32

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:lteversion:8.4.0.5

Trust: 1.0

vendor:oraclemodel:workload managerscope:eqversion:18c

Trust: 1.0

vendor:oraclemodel:communications session report managerscope:gteversion:8.2.0

Trust: 1.0

vendor:oraclemodel:communications instant messaging serverscope:eqversion:10.0.1.4.0

Trust: 1.0

vendor:oraclemodel:fmw platformscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:communications session report managerscope:lteversion:8.2.2

Trust: 1.0

vendor:apachemodel:tomcatscope:ltversion:9.0.43

Trust: 1.0

vendor:oraclemodel:fmw platformscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:apachemodel:tomcatscope:eqversion:10.0.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:31

Trust: 1.0

vendor:oraclemodel:communications element managerscope:gteversion:8.2.0

Trust: 1.0

vendor:oraclemodel:siebel apps - marketingscope:lteversion:21.9

Trust: 1.0

vendor:oraclemodel:agile plmscope:eqversion:9.3.3

Trust: 1.0

vendor:oraclemodel:communications element managerscope:lteversion:8.2.2

Trust: 1.0

vendor:oraclemodel:workload managerscope:eqversion:12.2.0.1

Trust: 1.0

vendor:oraclemodel:workload managerscope:eqversion:19c

Trust: 1.0

vendor:oraclemodel:agile plmscope:eqversion:9.3.6

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:gteversion:8.0.0.0

Trust: 1.0

vendor:oraclemodel:agile plmscope:eqversion:9.3.5

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:8.5.0

Trust: 1.0

vendor:oraclemodel:hospitality guest accessscope:eqversion:4.2.0

Trust: 1.0

vendor:oraclemodel:mysql enterprise monitorscope:lteversion:8.0.21

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:9.0.1

Trust: 1.0

vendor:oraclemodel:managed file transferscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:managed file transferscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:20.04

Trust: 1.0

vendor:oraclemodel:siebel ui frameworkscope:lteversion:20.12

Trust: 1.0

vendor:apachemodel:tomcatscope:ltversion:8.5.63

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.1

Trust: 1.0

vendor:oraclemodel:databasescope:eqversion:12.2.0.1

Trust: 1.0

vendor:oraclemodel:communications cloud native core policyscope:eqversion:1.14.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:oraclemodel:instantis enterprisetrackscope:lteversion:17.3

Trust: 1.0

vendor:oraclemodel:databasescope:eqversion:19c

Trust: 1.0

sources: NVD: CVE-2020-9484

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9484
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202005-1078
value: HIGH

Trust: 0.6

VULHUB: VHN-187609
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-9484
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-9484
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-187609
severity: MEDIUM
baseScore: 4.4
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9484
baseSeverity: HIGH
baseScore: 7.0
vectorString: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-187609 // VULMON: CVE-2020-9484 // CNNVD: CNNVD-202005-1078 // NVD: CVE-2020-9484

PROBLEMTYPE DATA

problemtype:CWE-502

Trust: 1.1

sources: VULHUB: VHN-187609 // NVD: CVE-2020-9484

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202005-1078

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202005-1078

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-187609

PATCH

title:Apache Tomcat Fixes for code issue vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=120592

Trust: 0.6

title:Red Hat: Important: Red Hat JBoss Web Server 5.3.1 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202509 - Security Advisory

Trust: 0.1

title:Red Hat: Important: tomcat security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202530 - Security Advisory

Trust: 0.1

title:Red Hat: Important: Red Hat JBoss Web Server 5.3.1 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202506 - Security Advisory

Trust: 0.1

title:Red Hat: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202487 - Security Advisory

Trust: 0.1

title:Red Hat: Important: tomcat6 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202529 - Security Advisory

Trust: 0.1

title:Red Hat: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202483 - Security Advisory

Trust: 0.1

title:Debian CVElist Bug Report Logs: tomcat9: CVE-2020-9484url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=cc55062b1693f83a222063668ffd932c

Trust: 0.1

title:Red Hat: Important: Red Hat support for Spring Boot 2.1.15 security and bug fix updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20203017 - Security Advisory

Trust: 0.1

title:Amazon Linux AMI: ALAS-2020-1389url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1389

Trust: 0.1

title:Amazon Linux AMI: ALAS-2020-1390url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2020-1390

Trust: 0.1

title:Arch Linux Advisories: [ASA-202006-5] tomcat8: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202006-5

Trust: 0.1

title:Amazon Linux 2: ALAS2-2020-1449url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2020-1449

Trust: 0.1

title:Arch Linux Advisories: [ASA-202006-7] tomcat9: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202006-7

Trust: 0.1

title:Arch Linux Advisories: [ASA-202005-19] tomcat7: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202005-19

Trust: 0.1

title:Amazon Linux AMI: ALAS-2021-1493url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2021-1493

Trust: 0.1

title:Amazon Linux 2: ALASTOMCAT8.5-2023-008url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASTOMCAT8.5-2023-008

Trust: 0.1

title:Amazon Linux AMI: ALAS-2021-1491url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2021-1491

Trust: 0.1

title:Arch Linux Advisories: [ASA-202005-18] tomcat9: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202005-18

Trust: 0.1

title:Arch Linux Advisories: [ASA-202006-6] tomcat7: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202006-6

Trust: 0.1

title:Arch Linux Advisories: [ASA-202005-20] tomcat8: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-202005-20

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2020-9484 log

Trust: 0.1

title:Debian Security Advisories: DSA-4727-1 tomcat9 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=948379f644728cd78397969845b23817

Trust: 0.1

title:Debian Security Advisories: DSA-5265-1 tomcat9 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=5ff46eee51fe9c568d7579825e9f7646

Trust: 0.1

title:Ubuntu Security Notice: USN-5360-1: Tomcat vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5360-1

Trust: 0.1

title:Amazon Linux 2: ALASTOMCAT8.5-2023-009url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASTOMCAT8.5-2023-009

Trust: 0.1

title:IBM: Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphonyurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=b4bdf241c7e678e09423e98e7d3134b8

Trust: 0.1

title:IBM: Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Centerurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=6625900b3dffe0c4351300480ad4824f

Trust: 0.1

title:Red Hat: Important: Red Hat Fuse 7.11.0 release and security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20225532 - Security Advisory

Trust: 0.1

title:https://github.com/osamahamad/CVE-2020-9484-Mass-Scanurl:https://github.com/osamahamad/CVE-2020-9484-Mass-Scan

Trust: 0.1

title:https://github.com/anjai94/CVE-2020-9484-exploiturl:https://github.com/anjai94/CVE-2020-9484-exploit

Trust: 0.1

title:CVE-2020-9484url:https://github.com/DXY0411/CVE-2020-9484

Trust: 0.1

title:CVE-2020-9484url:https://github.com/AssassinUKG/CVE-2020-9484

Trust: 0.1

title:summaryurl:https://github.com/Catbamboo/Catbamboo.github.io

Trust: 0.1

sources: VULMON: CVE-2020-9484 // CNNVD: CNNVD-202005-1078

EXTERNAL IDS

db:NVDid:CVE-2020-9484

Trust: 2.7

db:MCAFEEid:SB10332

Trust: 1.7

db:OPENWALLid:OSS-SECURITY/2021/03/01/2

Trust: 1.7

db:PACKETSTORMid:157924

Trust: 1.1

db:PACKETSTORMid:158761

Trust: 0.8

db:PACKETSTORMid:167841

Trust: 0.8

db:PACKETSTORMid:159666

Trust: 0.8

db:PACKETSTORMid:158050

Trust: 0.8

db:PACKETSTORMid:158103

Trust: 0.7

db:PACKETSTORMid:158621

Trust: 0.7

db:CNNVDid:CNNVD-202005-1078

Trust: 0.7

db:AUSCERTid:ESB-2020.2554

Trust: 0.6

db:AUSCERTid:ESB-2021.0742

Trust: 0.6

db:AUSCERTid:ESB-2022.0993

Trust: 0.6

db:AUSCERTid:ESB-2021.0938

Trust: 0.6

db:AUSCERTid:ESB-2020.2110

Trust: 0.6

db:AUSCERTid:ESB-2020.2046

Trust: 0.6

db:AUSCERTid:ESB-2020.1887

Trust: 0.6

db:AUSCERTid:ESB-2020.2447

Trust: 0.6

db:AUSCERTid:ESB-2020.3547

Trust: 0.6

db:AUSCERTid:ESB-2020.3628

Trust: 0.6

db:AUSCERTid:ESB-2022.1404

Trust: 0.6

db:AUSCERTid:ESB-2020.1793

Trust: 0.6

db:AUSCERTid:ESB-2020.2362

Trust: 0.6

db:AUSCERTid:ESB-2021.2261

Trust: 0.6

db:AUSCERTid:ESB-2021.1130

Trust: 0.6

db:AUSCERTid:ESB-2020.2670

Trust: 0.6

db:AUSCERTid:ESB-2020.2089

Trust: 0.6

db:AUSCERTid:ESB-2021.2731

Trust: 0.6

db:AUSCERTid:ESB-2020.1837

Trust: 0.6

db:NSFOCUSid:46749

Trust: 0.6

db:CS-HELPid:SB2022040522

Trust: 0.6

db:CS-HELPid:SB2021072123

Trust: 0.6

db:CS-HELPid:SB2021063003

Trust: 0.6

db:CS-HELPid:SB2022030854

Trust: 0.6

db:PACKETSTORMid:158030

Trust: 0.2

db:PACKETSTORMid:158032

Trust: 0.2

db:PACKETSTORMid:158034

Trust: 0.2

db:PACKETSTORMid:158029

Trust: 0.1

db:PACKETSTORMid:158049

Trust: 0.1

db:SEEBUGid:SSVID-98234

Trust: 0.1

db:CNVDid:CNVD-2020-34449

Trust: 0.1

db:VULHUBid:VHN-187609

Trust: 0.1

db:VULMONid:CVE-2020-9484

Trust: 0.1

db:PACKETSTORMid:168857

Trust: 0.1

db:PACKETSTORMid:179696

Trust: 0.1

sources: VULHUB: VHN-187609 // VULMON: CVE-2020-9484 // PACKETSTORM: 168857 // PACKETSTORM: 179696 // PACKETSTORM: 158030 // PACKETSTORM: 158050 // PACKETSTORM: 158761 // PACKETSTORM: 158034 // PACKETSTORM: 158032 // PACKETSTORM: 159666 // PACKETSTORM: 167841 // CNNVD: CNNVD-202005-1078 // NVD: CVE-2020-9484

REFERENCES

url:http://packetstormsecurity.com/files/157924/apache-tomcat-cve-2020-9484-proof-of-concept.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpujan2021.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpuoct2020.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpuoct2021.html

Trust: 2.3

url:https://security.netapp.com/advisory/ntap-20200528-0005/

Trust: 1.7

url:https://www.debian.org/security/2020/dsa-4727

Trust: 1.7

url:http://seclists.org/fulldisclosure/2020/jun/6

Trust: 1.7

url:https://security.gentoo.org/glsa/202006-21

Trust: 1.7

url:https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3cannounce.tomcat.apache.org%3e

Trust: 1.7

url:https://www.oracle.com//security-alerts/cpujul2021.html

Trust: 1.7

url:https://www.oracle.com/security-alerts/cpuapr2021.html

Trust: 1.7

url:https://www.oracle.com/security-alerts/cpujan2022.html

Trust: 1.7

url:https://www.oracle.com/security-alerts/cpujul2022.html

Trust: 1.7

url:https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html

Trust: 1.7

url:https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

Trust: 1.7

url:https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html

Trust: 1.7

url:http://www.openwall.com/lists/oss-security/2021/03/01/2

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html

Trust: 1.7

url:https://usn.ubuntu.com/4448-1/

Trust: 1.7

url:https://usn.ubuntu.com/4596-1/

Trust: 1.7

url:https://kc.mcafee.com/corporate/index?page=content&id=sb10332

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-9484

Trust: 1.5

url:https://access.redhat.com/security/cve/cve-2020-9484

Trust: 1.1

url:https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3ccommits.tomee.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3ccommits.tomee.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cannounce.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cannounce.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3ccommits.tomee.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3ccommits.tomee.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3ccommits.tomee.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wj7xhkwjwdnwxujh6ub7cliw4twoz26n/

Trust: 1.0

url:https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/giqhxentlyunoes4lxvnj2ncuqqrf5vj/

Trust: 1.0

url:https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wj7xhkwjwdnwxujh6ub7cliw4twoz26n/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/giqhxentlyunoes4lxvnj2ncuqqrf5vj/

Trust: 0.7

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cannounce.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cannounce.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3cusers.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@%3cusers.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cusers.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3cusers.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3cusers.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3cusers.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3@%3ccommits.tomee.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119@%3ccommits.tomee.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c@%3ccommits.tomee.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3ccommits.tomee.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c@%3ccommits.tomee.apache.org%3e

Trust: 0.7

url:https://www.auscert.org.au/bulletins/esb-2021.0938

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3547/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3628/

Trust: 0.6

url:http://www.nsfocus.net/vulndb/46749

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2089/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2110/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2362/

Trust: 0.6

url:https://packetstormsecurity.com/files/158050/red-hat-security-advisory-2020-2529-01.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072123

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022040522

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2554/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2447/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1130

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-tomcat-vulnerabilities-affect-ibm-control-center/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1837/

Trust: 0.6

url:https://www.oracle.com/security-alerts/cpujul2021.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2261

Trust: 0.6

url:https://vigilance.fr/vulnerability/apache-tomcat-code-execution-via-persistencemanager-32313

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1887/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1404

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-vulnerabilities-affect-ibm-watson-text-to-speech-and-speech-to-text-ibm-watson-speech-services-for-cloud-pak-for-data-1-2-2/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0993

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1793/

Trust: 0.6

url:https://packetstormsecurity.com/files/158621/red-hat-security-advisory-2020-3017-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2046/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2670/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.0742

Trust: 0.6

url:https://packetstormsecurity.com/files/158103/gentoo-linux-security-advisory-202006-21.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021063003

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.2731

Trust: 0.6

url:https://packetstormsecurity.com/files/158761/ubuntu-security-notice-usn-4448-1.html

Trust: 0.6

url:https://packetstormsecurity.com/files/159666/ubuntu-security-notice-usn-4596-1.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022030854

Trust: 0.6

url:https://packetstormsecurity.com/files/167841/red-hat-security-advisory-2022-5532-01.html

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-tomcat-affects-ibm-platform-symphony-3/

Trust: 0.6

url:https://bugzilla.redhat.com/):

Trust: 0.5

url:https://access.redhat.com/security/team/contact/

Trust: 0.5

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.5

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2020-13935

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-11996

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2020-13934

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://kc.mcafee.com/corporate/index?page=content&amp;id=sb10332

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://security-tracker.debian.org/tracker/tomcat9

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://ubuntu.com/security/notices/usn-6908-1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-0221

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:2487

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver&downloadtype=securitypatches&version=3.1

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:2529

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.13

Trust: 0.1

url:https://usn.ubuntu.com/4448-1

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-1935

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:2509

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver&downloadtype=securitypatches&version=5.3

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:2506

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.1

Trust: 0.1

url:https://usn.ubuntu.com/4596-1

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3629

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-29582

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-40690

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-0084

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-25122

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-25845

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22060

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22573

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-25122

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-2471

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26336

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22119

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-24122

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22569

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22970

Trust: 0.1

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.11.0

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-7020

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22119

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23913

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-35517

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-35516

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33813

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21724

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22950

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22932

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-30126

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22978

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33037

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-25329

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-42340

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3642

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3859

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-30640

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-4178

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22971

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22096

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3807

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41079

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-38153

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-15250

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23181

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-36518

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-15250

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-43797

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22096

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22976

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22573

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7020

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-22968

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1319

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-24614

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-25689

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-22569

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23596

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-25689

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-24122

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-36090

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-23221

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-22060

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-21363

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-43859

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-26520

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-2471

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-42550

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41766

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-29505

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-29582

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-36518

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2022-1259

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-35515

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:5532

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-3644

Trust: 0.1

sources: VULHUB: VHN-187609 // PACKETSTORM: 168857 // PACKETSTORM: 179696 // PACKETSTORM: 158030 // PACKETSTORM: 158050 // PACKETSTORM: 158761 // PACKETSTORM: 158034 // PACKETSTORM: 158032 // PACKETSTORM: 159666 // PACKETSTORM: 167841 // CNNVD: CNNVD-202005-1078 // NVD: CVE-2020-9484

CREDITS

Ubuntu

Trust: 0.9

sources: PACKETSTORM: 179696 // PACKETSTORM: 158761 // PACKETSTORM: 159666 // CNNVD: CNNVD-202005-1078

SOURCES

db:VULHUBid:VHN-187609
db:VULMONid:CVE-2020-9484
db:PACKETSTORMid:168857
db:PACKETSTORMid:179696
db:PACKETSTORMid:158030
db:PACKETSTORMid:158050
db:PACKETSTORMid:158761
db:PACKETSTORMid:158034
db:PACKETSTORMid:158032
db:PACKETSTORMid:159666
db:PACKETSTORMid:167841
db:CNNVDid:CNNVD-202005-1078
db:NVDid:CVE-2020-9484

LAST UPDATE DATE

2025-04-27T19:55:50.298000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-187609date:2022-07-25T00:00:00
db:VULMONid:CVE-2020-9484date:2023-11-07T00:00:00
db:CNNVDid:CNNVD-202005-1078date:2023-07-20T00:00:00
db:NVDid:CVE-2020-9484date:2024-11-21T05:40:44.420

SOURCES RELEASE DATE

db:VULHUBid:VHN-187609date:2020-05-20T00:00:00
db:VULMONid:CVE-2020-9484date:2020-05-20T00:00:00
db:PACKETSTORMid:168857date:2020-07-28T19:12:00
db:PACKETSTORMid:179696date:2024-07-24T13:32:46
db:PACKETSTORMid:158030date:2020-06-11T16:33:05
db:PACKETSTORMid:158050date:2020-06-11T16:36:37
db:PACKETSTORMid:158761date:2020-08-05T15:19:31
db:PACKETSTORMid:158034date:2020-06-11T16:33:52
db:PACKETSTORMid:158032date:2020-06-11T16:33:22
db:PACKETSTORMid:159666date:2020-10-21T15:52:39
db:PACKETSTORMid:167841date:2022-07-27T17:27:19
db:CNNVDid:CNNVD-202005-1078date:2020-05-20T00:00:00
db:NVDid:CVE-2020-9484date:2020-05-20T19:15:09.257