FixVibe

// 코드 / 스포트라이트

Apache Tomcat Session-Persistence Advisory

Affected Tomcat runtimes become riskier when FileStore session persistence is enabled.

핵심

CVE-2020-9484 is a Tomcat deserialization advisory where version alone is not the whole story. The risky shape depends on an affected Tomcat release plus FileStore-backed session persistence and additional attacker-controlled file prerequisites. FixVibe keeps that distinction visible so a dependency match does not read like confirmed remote code execution.

어떻게 동작하나요

The repo check looks for Tomcat Catalina or embedded-core Maven coordinates in Java build files, including versions referenced through local Maven properties. It also reviews Tomcat `context.xml` and `server.xml` files for PersistentManager plus FileStore session persistence. Version-only matches are reported as version-based advisories; matching configuration strengthens the posture but still does not claim runtime exploitation was proven.

피해 범위

If an affected Tomcat runtime is deployed with FileStore-backed PersistentManager session persistence and the remaining advisory prerequisites are true, attackers may be able to trigger unsafe deserialization through session loading. A repo match should drive a Tomcat upgrade, dependency-tree review, and session persistence configuration review before anyone treats it as confirmed production exposure.

// fixvibe가 검사하는 항목

FixVibe가 검사하는 항목

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

확실한 방어

Upgrade the active Tomcat release line to 7.0.104, 8.5.55, 9.0.35, 10.0.0-M5, or newer. Update direct Tomcat artifacts, BOMs, Spring Boot-managed versions, Gradle constraints, or container base images as needed. Remove FileStore-backed PersistentManager session persistence unless required; if retained, configure a strict sessionAttributeValueClassNameFilter and rebuild the deployed WAR, JAR, or image.

// 내 앱에서 직접 실행해보세요

FixVibe가 지켜보는 동안 계속 배포하세요.

FixVibe는 공격자가 보는 것처럼 앱의 공개 영역을 압박 테스트합니다 — 에이전트도, 설치도, 카드도 필요 없어요. 새로운 취약점 패턴을 계속 연구해 실용적인 체크와 Cursor, Claude, Copilot에 바로 붙여넣을 수 있는 수정안으로 바꿉니다.

소스 코드
116
이 카테고리에서 실행되는 테스트
모듈
76
전용 소스 코드 검사
매 스캔
487+
모든 카테고리 합계 테스트
  • 무료 — 카드 없이, 설치 없이, Slack 알림 없이
  • URL만 붙여넣으세요 — 크롤, 탐지, 보고는 저희가
  • 심각도별 분류, 중복 제거된 신호만
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
무료 스캔 실행

// 최신 체크 · 실용적인 수정 · 자신 있게 배포

Apache Tomcat Session-Persistence Advisory — 취약점 스포트라이트 | FixVibe · FixVibe