CVE-2020-9484

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

References

https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://security.netapp.com/advisory/ntap-20200528-0005/

https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

http://seclists.org/fulldisclosure/2020/Jun/6

http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html

https://security.gentoo.org/glsa/202006-21

https://lists.fedoraproject.org/archives/list/[email protected]/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/

https://lists.fedoraproject.org/archives/list/[email protected]/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.debian.org/security/2020/dsa-4727

https://usn.ubuntu.com/4448-1/

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://kc.mcafee.com/corporate/index?page=content&id=SB10332

https://www.oracle.com/security-alerts/cpuoct2020.html

https://usn.ubuntu.com/4596-1/

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

http://www.openwall.com/lists/oss-security/2021/03/01/2

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2020-05-20

Updated: 2021-10-20

Type: CWE-502

Risk Information

CVSS v2

Base Score: 4.4

Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.4

Severity: MEDIUM

CVSS v3

Base Score: 7

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 6

OR

cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* versions from 8.0.0.0 to 8.4.0.5 (inclusive)

cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:* versions from 17.1 to 17.3 (inclusive)

cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* versions up to 8.0.21 (inclusive)

cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* versions up to 20.12 (inclusive)

cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*

cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*

cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*

cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*

cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*

cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*

Tenable Plugins

View all (49 total)

IDNameProductFamilySeverity
154560NewStart CGSL CORE 5.05 / MAIN 5.05 : tomcat Vulnerability (NS-SA-2021-0135)NessusNewStart CGSL Local Security Checks
high
150946Apache Tomcat 10.0.0.M1 < 10.0.0.M5 vulnerabilityNessusWeb Servers
high
701351Apache Tomcat < 10.0.0-M5 VulnerabilityNessus Network MonitorWeb Servers
medium
701350Apache Tomcat < 10.0.2 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
150856Apache Tomcat 10.0.0-M1 < 10.0.2 multiple vulnerabilitiesNessusWeb Servers
high
150581SUSE SLES11 Security Update : tomcat6 (SUSE-SU-2020:14375-1)NessusSuSE Local Security Checks
high
148894Oracle Database Server Multiple Vulnerabilities (Apr 2021 CPU)NessusDatabases
medium
148378Amazon Linux AMI : tomcat7 (ALAS-2021-1493)NessusAmazon Linux Local Security Checks
high
148309openSUSE Security Update : tomcat (openSUSE-2021-496)NessusSuSE Local Security Checks
high
148132Amazon Linux AMI : tomcat8 (ALAS-2021-1491)NessusAmazon Linux Local Security Checks
high
143961NewStart CGSL CORE 5.04 / MAIN 5.04 : tomcat Vulnerability (NS-SA-2020-0055)NessusNewStart CGSL Local Security Checks
high
142210Oracle Business Process Management Suite (Oct 2020 CPU)NessusMisc.
critical
141862Ubuntu 20.04 LTS : Tomcat vulnerabilities (USN-4596-1)NessusUbuntu Local Security Checks
high
141833McAfee ePolicy Orchestrator (SB10332)NessusWindows
medium
140860EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-2093)NessusHuawei Local Security Checks
high
140153EulerOS 2.0 SP5 : tomcat (EulerOS-SA-2020-1932)NessusHuawei Local Security Checks
high
139368Ubuntu 16.04 LTS : Tomcat vulnerabilities (USN-4448-1)NessusUbuntu Local Security Checks
medium
139159EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1829)NessusHuawei Local Security Checks
high
138647Debian DSA-4727-1 : tomcat9 - security updateNessusDebian Local Security Checks
high
138393Debian DLA-2279-1 : tomcat8 security updateNessusDebian Local Security Checks
high
138061Amazon Linux AMI : tomcat8 (ALAS-2020-1390)NessusAmazon Linux Local Security Checks
high
138060Amazon Linux AMI : tomcat7 (ALAS-2020-1389)NessusAmazon Linux Local Security Checks
high
138051Amazon Linux 2 : tomcat (ALAS-2020-1449)NessusAmazon Linux Local Security Checks
high
137736Fedora 31 : 1:tomcat (2020-ce396e7d5c)NessusFedora Local Security Checks
high
137533Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20200611)NessusScientific Linux Local Security Checks
high
137530Oracle Linux 6 : tomcat6 (ELSA-2020-2529)NessusOracle Linux Local Security Checks
high
137487EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2020-1645)NessusHuawei Local Security Checks
critical
137458GLSA-202006-21 : Apache Tomcat: Remote code executionNessusGentoo Local Security Checks
high
137390Scientific Linux Security Update : tomcat on SL7.x (noarch) (20200611)NessusScientific Linux Local Security Checks
high
137387Oracle Linux 7 : tomcat (ELSA-2020-2530)NessusOracle Linux Local Security Checks
high
137370CentOS 7 : tomcat (CESA-2020:2530)NessusCentOS Local Security Checks
high
137360RHEL 7 : tomcat (RHSA-2020:2530)NessusRed Hat Local Security Checks
high
137359RHEL 6 : tomcat6 (RHSA-2020:2529)NessusRed Hat Local Security Checks
high
137324RHEL 6 : Red Hat JBoss Web Server 5.3.1 (RHSA-2020:2506)NessusRed Hat Local Security Checks
high
137317Photon OS 1.0: Apache PHSA-2020-1.0-0298NessusPhotonOS Local Security Checks
high
137308RHEL 6 : Red Hat JBoss Web Server 3.1 Service Pack 9 (RHSA-2020:2483)NessusRed Hat Local Security Checks
high
112429Apache Tomcat 7.0.x < 7.0.104 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
112428Apache Tomcat 8.5.x < 8.5.55 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
112427Apache Tomcat 9.0.0.M1 < 9.0.35 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
112426Apache Tomcat 10.0.0-M1 < 10.0.0-M5 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
137197Photon OS 2.0: Apache PHSA-2020-2.0-0248NessusPhotonOS Local Security Checks
high
137189Photon OS 3.0: Apache PHSA-2020-3.0-0100NessusPhotonOS Local Security Checks
high
136951Debian DLA-2209-1 : tomcat8 security updateNessusDebian Local Security Checks
critical
136889openSUSE Security Update : tomcat (openSUSE-2020-711)NessusSuSE Local Security Checks
high
136851FreeBSD : Apache Tomcat Remote Code Execution via session persistence (676ca486-9c1e-11ea-8b5e-b42e99a1b9c3)NessusFreeBSD Local Security Checks
high
136833Debian DLA-2217-1 : tomcat7 security updateNessusDebian Local Security Checks
critical
136807Apache Tomcat 8.5.x < 8.5.55 Remote Code ExecutionNessusWeb Servers
high
136806Apache Tomcat 9.0.0 < 9.0.35 Remote Code ExecutionNessusWeb Servers
high
136770Apache Tomcat 7.0.0 < 7.0.104 Remote Code ExecutionNessusWeb Servers
high