Vulnerability Details : CVE-2022-25762
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
Products affected by CVE-2022-25762
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
Threat overview for CVE-2022-25762
Top countries where our scanners detected CVE-2022-25762
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-25762 321,246
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-25762!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-25762
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-25762
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
3.9
|
4.7
|
NIST |
CWE ids for CVE-2022-25762
-
The product does not release or incorrectly releases a resource before it is made available for re-use.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2022-25762
-
https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c
[SECURITY] CVE-2022-25762 Apache Tomcat - Request Mix-up-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220629-0003/
CVE-2022-25762 Apache Tomcat Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to