CVE-2023-34981 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apache	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Vendor	Product	Version
apache	tomcat	8.5.88
apache	tomcat	9.0.74
apache	tomcat	10.1.8
apache	tomcat	11.0.0:milestone5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.6-1+deb12u2 not-affected
bookworm (security)	10.1.6-1+deb12u2 fixed
trixie	10.1.34-1 fixed
sid	10.1.34-1 fixed

tomcat9

bullseye (security)	9.0.43-2~deb11u10 fixed
bullseye	9.0.43-2~deb11u10 fixed
bookworm	9.0.70-2 not-affected
trixie	9.0.95-1 fixed
sid	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat6

oracular	dne
noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
focal	dne
bionic	dne
xenial	needs-triage
trusty	ignored

tomcat7

oracular	dne
noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	ignored

tomcat8

oracular	dne
noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	dne

tomcat9

oracular	needs-triage
noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz

https://security.netapp.com/advisory/ntap-20230714-0003/

https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz

https://security.netapp.com/advisory/ntap-20230714-0003/