The Apache Software Foundation has patched a High risk Apache Tomcat ‘Request Mix-up’ vulnerability CVE-2022-25762.
A cyber attacker could exploit this vulnerability to access sensitive information.
Mark Thomas from Apache described the issue in an advisory post:
“If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.”
The vulnerability affects Apache Tomcat 9.0.0.M1 to 9.0.20 and also Apache Tomcat 8.5.0 to 8.5.75.
Users and administrators should upgrade their systems to one of the following versions:
- Apache Tomcat 9.0.21 or later
- Upgrade to Apache Tomcat 8.5.76 or later.