The description was incomplete

2021-03-16 16:25:48 +02:00 · 2021-03-16 16:25:48 +02:00 · 729b36c0a3
parent fe26771a2e
commit 729b36c0a3
1 changed files with 7 additions and 1 deletions
--- a/cves/2020/CVE-2020-9484.yaml
+++ b/cves/2020/CVE-2020-9484.yaml
@ -4,7 +4,13 @@ info:
  name: Apache Tomcat RCE by deserialization
  author: dwisiswant0
  severity: high
-  description: Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server
+  description: |
+    When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if 
+    a) an attacker is able to control the contents and name of a file on the server; and 
+    b) the server is configured to use the PersistenceManager with a FileStore; and 
+    c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and 
+    d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
+    Note that all of conditions a) to d) must be true for the attack to succeed.
  tags: cve,cve2020,apache
  reference:
    - http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html