I was stumbling across CVE-2020-9484 (https://seclists.org/oss-sec/2020/q2/136).
Its vulnerability advisory states:
...
b) the server is configured to use the PersistenceManager with a
FileStore; and
c) the PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and
My question: Which session persistence manager is vulnerable (since often the PersistenceManager is referred to org.apache.catalina.session.PersistentManager)?
org.apache.catalina.session.StandardManager or org.apache.catalina.session.PersistentManager, or both?
https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Persistence_Across_Restarts
StandardManager is not addressed by this security vulnerability: it stores all sessions in a single file of an applications temporary directory. If someone has write access to this file, he has probably access to the whole Tomcat installation.
With PersistentManager using FileStore the situation is different: every session is saved in a separate file, according to its JSESSIONID. Using a crafted JSESSIONID (probably by inserting ../../ in it, I didn't test) it is possible to point to any file in the filesystem (cf. patch).