CVE-2022-23181: Time-of-check Time-of-use (TOCTOU) Race Condition

January 27, 2022 (updated November 7, 2022)

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

References

lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9
nvd.nist.gov/vuln/detail/CVE-2022-23181

Code Behaviors & Features

Detect and mitigate CVE-2022-23181 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →