CVE-2022-25762 Score 8.6
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tomcat9 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Hi All,
i have not found anything about this security bug on this bug tracker. Please fix this asap
thank you
More Details
https:/
https:/
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
CVE References
| information type: | Private Security → Public Security |
| Changed in tomcat9 (Ubuntu): | |
| status: | New → Confirmed |
| Seth Arnold (seth-arnold) wrote | #1 |
| Hans Dampf (tomcat668) wrote | #2 |
| Seth Arnold (seth-arnold) wrote | #3 |
Hello Hans, the Ubuntu security team doesn't track security issues in Launchpad; you can check the status in:
https:/
tomcat9 is in universe, so it's community supported; there's currently a handful of issues still open in the 18.04 LTS version:
https:/
If you're in a position to be able to address this issue, it'd be nice if you could grab as many of the other open issues as possible.
Thanks