CVE-2022-25762 Apache Tomcat - Request Mix-up
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.20
Apache Tomcat 8.5.0 to 8.5.75
Description:
If a web application sends a WebSocket message concurrently with the
WebSocket connection closing, it is possible that the application will
continue to use the socket after it has been closed. The error handling
triggered in this case could cause the a pooled object to be placed in
the pool twice. This could result in subsequent connections using the
same object concurrently which could result in data being returned to
the wrong use and/or other errors.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.21 or later
- Upgrade to Apache Tomcat 8.5.76 or later
History:
2022-05-12 Original advisory
Credit:
This issue was identified by the Apache Tomcat security team.
References:
[1] https://tomcat.apache.org/security-9.html
[2] https://tomcat.apache.org/security-8.html
