CVE-2020-9484

 

Published at: - 20-05-2020 09:15

Last modified: - 25-07-2022 08:15

Total changes: - 16

Description

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
• [tomcat-users] 20200521 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence-Mailing List, Mitigation, Patch, Third Party Advisory
• [debian-lts-announce] 20200523 [SECURITY] [DLA 2217-1] tomcat7 security update-Third Party Advisory
• [tomcat-users] 20200524 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence-Third Party Advisory
• openSUSE-SU-2020:0711-Third Party Advisory
• [tomcat-dev] 20200527 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence-Third Party Advisory
• https://security.netapp.com/advisory/ntap-20200528-0005/
• [debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update-Third Party Advisory
• 20200602 [CVE-2020-9484] Apache Tomcat RCE via PersistentManager-Mailing List, Third Party Advisory
• http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
• GLSA-202006-21-Third Party Advisory
• FEDORA-2020-ce396e7d5c-Mailing List, Third Party Advisory
• FEDORA-2020-d9169235a8-Mailing List, Third Party Advisory
• [tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.html xdocs/security-8.html xdocs/security-9.html-Mailing List, Patch, Vendor Advisory
• [debian-lts-announce] 20200712 [SECURITY] [DLA 2279-1] tomcat8 security update-Mailing List, Third Party Advisory
• https://www.oracle.com/security-alerts/cpujul2020.html
• DSA-4727-Third Party Advisory
• USN-4448-1-Third Party Advisory
• [tomee-commits] 20201013 [jira] [Assigned] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)-Mailing List, Third Party Advisory
• [tomee-commits] 20201013 [jira] [Updated] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)-Mailing List, Patch, Third Party Advisory
• [tomee-commits] 20201013 [jira] [Created] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)-Mailing List, Third Party Advisory
• [tomee-commits] 20201013 [jira] [Commented] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)-Mailing List, Third Party Advisory
• https://kc.mcafee.com/corporate/index?page=content&id=SB10332
• https://www.oracle.com/security-alerts/cpuoct2020.html
• USN-4596-1-Third Party Advisory
• https://www.oracle.com/security-alerts/cpujan2021.html
• [tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.html xdocs/security-7.html xdocs/security-8.html xdocs/security-9.html-Exploit, Mailing List, Third Party Advisory
• [tomcat-dev] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)-Mailing List, Third Party Advisory
• [tomcat-announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)-Mailing List, Third Party Advisory
• [announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)-Mailing List, Third Party Advisory
• [tomcat-users] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)-Mailing List, Third Party Advisory
• [oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484-Mailing List, Third Party Advisory
• [tomee-commits] 20210522 [jira] [Closed] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)-Mailing List, Third Party Advisory
• https://www.oracle.com/security-alerts/cpuApr2021.html
• [tomcat-users] 20210701 What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5-Mailing List, Third Party Advisory
• [tomcat-users] 20210701 Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5-Mailing List, Third Party Advisory
• [tomcat-users] 20210702 Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5-Mailing List, Third Party Advisory
• [tomcat-dev] 20210712 svn commit: r1891484 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.html xdocs/security-7.html xdocs/security-8.html xdocs/security-9.html-Mailing List, Patch, Third Party Advisory
• N/A-Patch, Third Party Advisory
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• N/A-

 

Keywords

NVD

 

CVE-2020-9484

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures