{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-55955", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-06-17T18:04:49.663Z", "datePublished": "2026-06-29T20:44:39.779Z", "dateUpdated": "2026-06-29T22:24:33.117Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.22", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.55", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.118", "status": "affected", "version": "9.0.13", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.38", "versionType": "semver"}, {"lessThanOrEqual": "7.0.109", "status": "affected", "version": "7.0.100", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.</p><p>Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.</p>"}], "value": "Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-29T20:44:39.779Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: EncryptInterceptor not protected against replay attacks", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/06/29/24"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-29T22:24:33.117Z"}}]}}

{}

{}

{"affected_release": [{"advisory": "RHSA-2026:29203", "cpe": "cpe:/a:redhat:hummingbird:1", "impact": "important", "package": "tomcat10-main-10.1.56-1.hum1", "product_name": "Red Hat Hardened Images", "release_date": "2026-06-24T00:00:00Z"}, {"advisory": "RHSA-2026:32960", "cpe": "cpe:/a:redhat:hummingbird:1", "impact": "important", "package": "tomcat11-main-11.0.23-0.1.hum1", "product_name": "Red Hat Hardened Images", "release_date": "2026-06-29T00:00:00Z"}], "bugzilla": {"description": "tomcat: Apache Tomcat: Replay attack via improper authentication in EncryptionInterceptor", "id": "2494678", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494678"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-294", "details": ["A flaw was found in Apache Tomcat. An improper authentication vulnerability in the EncryptionInterceptor component allows a remote attacker to perform a replay attack. This could lead to unauthorized access or manipulation of data within the cluster component."], "mitigation": {"lang": "en:us", "value": "This vulnerability only affects Tomcat deployments using the EncryptionInterceptor for Tribes cluster communication. Deployments that do not use Tomcat clustering or do not configure the EncryptionInterceptor are not affected. Ensure cluster communication channels are restricted to trusted, isolated networks."}, "name": "CVE-2026-55955", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "jws5-tomcat", "product_name": "Red Hat JBoss Web Server 5"}], "public_date": "2026-06-29T20:44:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-55955\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-55955\nhttps://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106"], "statement": "A flaw was found in Apache Tomcat's EncryptionInterceptor used for Tribes cluster communication. An improper authentication vulnerability allows a replay attack against encrypted cluster messages. Exploitation requires the EncryptionInterceptor to be configured for Tomcat clustering, which is a non-default configuration, and the attacker must have access to the cluster network to capture and replay messages. Apache rates this vulnerability as Low severity. Red Hat has corrected the impact from IMPORTANT to MODERATE \u2014 the original AI-Bot CVSS of 8.2 (AV:N/AC:L) incorrectly scored this as internet-facing with low complexity, when Tribes cluster traffic is adjacent-network (AV:A) and requires non-default clustering configuration (AC:H). The corrected vector is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.2).", "threat_severity": "Moderate"}

{"created": "2026-06-29T22:30:05.222613+00:00", "updated": "2026-06-29T22:30:05.222619+00:00", "vendors": []}