[
https://issues.apache.org/jira/browse/OFBIZ-12539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17482427#comment-17482427
]
ASF subversion and git services commented on OFBIZ-12539:
---------------------------------------------------------
Commit 40e89450aec4a937b193552b5b3a29c20873a43c in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=40e8945 ]
Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability that allowed a local attacker to perform actions with the
privileges of the user that the Tomcat process is using. This issue is only
exploitable when Tomcat is configured to persist sessions using the FileStore.
> Upgrade Tomcat from 9.0.54 to 9.0.58
> ------------------------------------
>
> Key: OFBIZ-12539
> URL: https://issues.apache.org/jira/browse/OFBIZ-12539
> Project: OFBiz
> Issue Type: Sub-task
> Components: Gradle
> Affects Versions: 18.12.05, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> The fix for bug CVE-2020-9484 introduced a time of check, time of use
> vulnerability that allowed a local attacker to perform actions with the
> privileges of the user that the Tomcat process is using. This issue is only
> exploitable when Tomcat is configured to persist sessions using the FileStore.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
