CVE-2023-34981 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Affected Products (NVD)

Vendor	Product	Version
apache	tomcat	8.5.88
apache	tomcat	9.0.74
apache	tomcat	10.1.8
apache	tomcat	11.0.0:milestone5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.6-1+deb12u2 not-affected
bookworm (security)	10.1.6-1+deb12u2 fixed
sid	10.1.34-1 fixed
trixie	10.1.34-1 fixed

tomcat9

bookworm	9.0.70-2 not-affected
bullseye	9.0.43-2~deb11u10 fixed
bullseye (security)	9.0.43-2~deb11u10 fixed
sid	9.0.95-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat6

bionic	dne
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	needs-triage

tomcat7

bionic	needs-triage
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	needs-triage

tomcat8

bionic	needs-triage
focal	dne
jammy	dne
kinetic	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	needs-triage

tomcat9

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
oracular	needs-triage
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz

https://security.netapp.com/advisory/ntap-20230714-0003/

https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz

https://security.netapp.com/advisory/ntap-20230714-0003/