CVE-2020-9484
Public on 2020-05-20
Modified on 2021-04-07
Description
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | tomcat | 2020-06-26 | ALAS2-2020-1449 | Fixed |
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT8.5-2023-008 | Fixed |
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT8.5-2023-009 | Fixed |
| Amazon Linux 1 | tomcat7 | 2020-06-23 | ALAS-2020-1389 | Fixed |
| Amazon Linux 1 | tomcat7 | 2021-04-07 | ALAS-2021-1493 | Fixed |
| Amazon Linux 1 | tomcat8 | 2020-06-23 | ALAS-2020-1390 | Fixed |
| Amazon Linux 1 | tomcat8 | 2021-03-23 | ALAS-2021-1491 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv2 | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
| NVD | CVSSv3 | 7.0 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |