CVE-2022-29885

Source
https://cve.org/CVERecord?id=CVE-2022-29885
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29885.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-29885
Aliases
Downstream
Published
2022-05-12T00:00:00Z
Modified
2026-07-08T06:01:05.245003412Z
Summary
EncryptInterceptor does not provide complete protection on insecure networks
Details

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29885.json",
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-400"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14"
                },
                {
                    "last_affected": "Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M14"
                },
                {
                    "introduced": "Apache Tomcat 10 10.0.0-M1 to 10.0.20"
                },
                {
                    "last_affected": "Apache Tomcat 10 10.0.0-M1 to 10.0.20"
                },
                {
                    "introduced": "Apache Tomcat 9 9.0.13 to 9.0.62"
                },
                {
                    "last_affected": "Apache Tomcat 9 9.0.13 to 9.0.62"
                },
                {
                    "introduced": "Apache Tomcat 8.5 8.5.38 to 8.5.78"
                },
                {
                    "last_affected": "Apache Tomcat 8.5 8.5.38 to 8.5.78"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "8.5.38"
        },
        {
            "last_affected": "8.5.78"
        },
        {
            "introduced": "9.0.13"
        },
        {
            "last_affected": "9.0.62"
        },
        {
            "introduced": "10.0.0"
        },
        {
            "last_affected": "10.0.20"
        },
        {
            "introduced": "10.1.0-milestone1"
        },
        {
            "last_affected": "10.1.0-milestone1"
        },
        {
            "introduced": "10.1.0-milestone10"
        },
        {
            "last_affected": "10.1.0-milestone10"
        },
        {
            "introduced": "10.1.0-milestone11"
        },
        {
            "last_affected": "10.1.0-milestone11"
        },
        {
            "introduced": "10.1.0-milestone12"
        },
        {
            "last_affected": "10.1.0-milestone12"
        },
        {
            "introduced": "10.1.0-milestone13"
        },
        {
            "last_affected": "10.1.0-milestone13"
        },
        {
            "introduced": "10.1.0-milestone14"
        },
        {
            "last_affected": "10.1.0-milestone14"
        },
        {
            "introduced": "10.1.0-milestone2"
        },
        {
            "last_affected": "10.1.0-milestone2"
        },
        {
            "introduced": "10.1.0-milestone3"
        },
        {
            "last_affected": "10.1.0-milestone3"
        },
        {
            "introduced": "10.1.0-milestone4"
        },
        {
            "last_affected": "10.1.0-milestone4"
        },
        {
            "introduced": "10.1.0-milestone5"
        },
        {
            "last_affected": "10.1.0-milestone5"
        },
        {
            "introduced": "10.1.0-milestone6"
        },
        {
            "last_affected": "10.1.0-milestone6"
        },
        {
            "introduced": "10.1.0-milestone7"
        },
        {
            "last_affected": "10.1.0-milestone7"
        },
        {
            "introduced": "10.1.0-milestone8"
        },
        {
            "last_affected": "10.1.0-milestone8"
        },
        {
            "introduced": "10.1.0-milestone9"
        },
        {
            "last_affected": "10.1.0-milestone9"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

10.*
10.1.0-milestone1
10.1.0-milestone10
10.1.0-milestone11
10.1.0-milestone12
10.1.0-milestone13
10.1.0-milestone14
10.1.0-milestone2
10.1.0-milestone3
10.1.0-milestone4
10.1.0-milestone5
10.1.0-milestone6
10.1.0-milestone7
10.1.0-milestone8
10.1.0-milestone9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29885.json"