CVE-2022-29885 [High] | Denial of Service in Tomcat

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

EDB-ID	Source	Kind	Published	Link
51262	exploit_db	edb	2023-04-05	Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

51262

exploit_db

edb

2023-04-05

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-10	58.50%	55.53%	-2.97%
2	2026-03-28	60.11%	58.50%	-1.61%
3	2026-03-04	—	60.11%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-10

58.50%

55.53%

-2.97%

2026-03-28

60.11%

58.50%

-1.61%

2026-03-04

—

60.11%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2022-29885

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2022-29885 not yet assigned priority: Debian including 1 source packages (tomcat9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2022-29885
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2022-29885
`suse`	low	CVE-2022-29885 severity low: SUSE including 11 source package names (tomcat, tomcat-admin-webapps, …), 236 product×package rows across 40 product lines (HPE Helion OpenStack 8, SUSE CaaS Platform 4.0, … (40 product lines)): Will Not Fix 162, Known Not Affected 74.	https://www.suse.com/security/cve/CVE-2022-29885/
`ubuntu`	low	CVE-2022-29885 low priority: Ubuntu including 5 source packages (tomcat10, tomcat6, tomcat7, tomcat8, tomcat9), 39 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 14, ignored 8, not-affected 8, released 6, needs-triage 3.	https://ubuntu.com/security/CVE-2022-29885

Affected software / configurations for CVE-2022-29885

Vendor	Product	Version	Raw CPE
apache	tomcat	>= 8.5.38, <= 8.5.78	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 9.0.13, <= 9.0.62	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 10.0.0, <= 10.0.20	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*
oracle	hospitality_cruise_shipboard_property_management_system	20.2.1	cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.2.1:::::::*

References for CVE-2022-29885

URL	Tags
http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv	Mailing List Mitigation Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20220629-0002/	Third Party Advisory
https://www.debian.org/security/2022/dsa-5265	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

URL

CVE-2022-29885 | EncryptInterceptor does not provide complete protection on insecure networks

Public exploit references (Exploit-DB) for CVE-2022-29885

Exploit prediction scoring system (EPSS) score for CVE-2022-29885

Common vulnerability scoring system (CVSS) metrics for CVE-2022-29885

Weakness enumeration for CVE-2022-29885

GitHub Security Advisory for CVE-2022-29885

OS Trackers for CVE-2022-29885

Affected software / configurations for CVE-2022-29885

References for CVE-2022-29885