CVE-2022-29885: Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98412%
CWE
Published
5/13/2022
Updated
3/11/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tomcat:tomcat | maven | >= 10.1.0-M1, < 10.1.0-M15 | 10.1.0-M15 |
org.apache.tomcat:tomcat | maven | >= 10.0.0-M1, < 10.0.21 | 10.0.21 |
org.apache.tomcat:tomcat | maven | >= 9.0.13, < 9.0.63 | 9.0.63 |
org.apache.tomcat:tomcat | maven | >= 8.5.38, < 8.5.79 | 8.5.79 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2022-29885 stems from documentation inaccuracies rather than code flaws. The EncryptInterceptor
itself was not inherently vulnerable; instead, the documentation incorrectly claimed it provided sufficient protection for untrusted networks. The patches (e.g., in changelog.xml
, cluster-howto.xml
) only updated documentation to clarify that EncryptInterceptor
does not mitigate DoS risks. No code changes to the EncryptInterceptor
or related functions were made in the provided commit diffs. Thus, there are no specific functions in the codebase identified as vulnerable—the issue lies in misleading documentation leading to insecure deployment decisions.