7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29885

GHSA ID

GHSA-r84p-88g2-2vx2

EPSS Score

0.98412%

CWE

CWE-400

Published

5/13/2022

Updated

3/11/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29885

CVE-2022-29885: Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29885

GHSA ID

GHSA-r84p-88g2-2vx2

EPSS Score

0.98412%

CWE

CWE-400

Published

5/13/2022

Updated

3/11/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 10.1.0-M1, < 10.1.0-M15	10.1.0-M15
org.apache.tomcat:tomcat	maven	>= 10.0.0-M1, < 10.0.21	10.0.21
org.apache.tomcat:tomcat	maven	>= 9.0.13, < 9.0.63	9.0.63
org.apache.tomcat:tomcat	maven	>= 8.5.38, < 8.5.79	8.5.79

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2022-29885 stems from documentation inaccuracies rather than code flaws. The EncryptInterceptor itself was not inherently vulnerable; instead, the documentation incorrectly claimed it provided sufficient protection for untrusted networks. The patches (e.g., in changelog.xml, cluster-howto.xml) only updated documentation to clarify that EncryptInterceptor does not mitigate DoS risks. No code changes to the EncryptInterceptor or related functions were made in the provided commit diffs. Thus, there are no specific functions in the codebase identified as vulnerable—the issue lies in misleading documentation leading to insecure deployment decisions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *o*um*nt*tion o* *p**** Tom**t **.*.*-M* to **.*.*-M**, **.*.*-M* to **.*.**, *.*.** to *.*.** *n* *.*.** to *.*.** *or t** *n*ryptInt*r**ptor in*orr**tly st*t** it *n**l** Tom**t *lust*rin* to run ov*r *n untrust** n*twork. T*is w*s not *orr**t.

Reasoning

T** vuln*r**ility *V*-****-***** st*ms *rom *o*um*nt*tion in***ur**i*s r*t**r t**n *o** *l*ws. T** `*n*ryptInt*r**ptor` its*l* w*s not in**r*ntly vuln*r**l*; inst***, t** *o*um*nt*tion in*orr**tly *l*im** it provi*** su**i*i*nt prot**tion *or untrust

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-29885: Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI