Note: The issues below were fixed in Apache Tomcat 8.5.62 but the release vote for the 8.5.62 release candidate did not pass. Therefore, although users must download 8.5.63 to obtain a version that includes a fix for these issues, version 8.5.62 is not included in the list of affected versions.
Low: Fix for CVE-2020-9484 was incomplete CVE-2021-25329
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue.
This was fixed with commit 93f0cc40.
This issue was reported to the Apache Tomcat Security team by Trung Pham of Viettel Cyber Security on 12 January 2021. The issue was made public on 1 March 2021.
Affects: 8.5.0 to 8.5.61
Important: Request mix-up with h2c CVE-2021-25122
When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A’s request.
This was fixed with commit bb0e7c1e.
This issue was identified by the Apache Tomcat Security team on 11 January 2021. The issue was made public on 1 March 2021.
Affects: 8.5.0 to 8.5.61
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 8.5.0 | |
apache tomcat | le | 8.5.61 |