You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/05/12 19:57:23 UTC

[SECURITY] CVE-2022-25762 Apache Tomcat - Request Mix-up

CVE-2022-25762 Apache Tomcat - Request Mix-up

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.20
Apache Tomcat 8.5.0 to 8.5.75

Description:
If a web application sends a WebSocket message concurrently with the 
WebSocket connection closing, it is possible that the application will 
continue to use the socket after it has been closed. The error handling 
triggered in this case could cause the a pooled object to be placed in 
the pool twice. This could result in subsequent connections using the 
same object concurrently which could result in data being returned to 
the wrong use and/or other errors.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.21 or later
- Upgrade to Apache Tomcat 8.5.76 or later

History:
2022-05-12 Original advisory

Credit:
This issue was identified by the Apache Tomcat security team.

References:
[1] https://tomcat.apache.org/security-9.html
[2] https://tomcat.apache.org/security-8.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org