apache tomcat CVE-2022-25762 in Apache and Oracle Products
Published on May 13, 2022

Response mix-up with WebSocket concurrent send and close

product logo product logo
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

NVD

Weakness Type

Improper Resource Shutdown or Release

The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.


Products Associated with CVE-2022-25762

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-25762 are published in these products:

Apache Tomcat
 
Oracle Agile Plm
 
Oracle
 

Affected Versions

Apache Software Foundation Apache Tomcat:

Exploit Probability

EPSS
0.66%
Percentile
70.90%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.