Lucene search

K
cveApacheCVE-2021-43980
HistorySep 28, 2022 - 2:15 p.m.

CVE-2021-43980

2022-09-2814:15:09
CWE-362
apache
web.nvd.nist.gov
217
8
cve
2021
43980
tomcat
apache
nvd
concurrency
bug
security
vulnerability

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4

Confidence

High

EPSS

0.002

Percentile

58.5%

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Affected configurations

Nvd
Vulners
Node
apachetomcatRange8.5.08.5.77
OR
apachetomcatRange9.0.09.0.60
OR
apachetomcatRange10.0.010.0.18
OR
apachetomcatMatch10.1.0milestone1
OR
apachetomcatMatch10.1.0milestone10
OR
apachetomcatMatch10.1.0milestone11
OR
apachetomcatMatch10.1.0milestone12
OR
apachetomcatMatch10.1.0milestone2
OR
apachetomcatMatch10.1.0milestone3
OR
apachetomcatMatch10.1.0milestone4
OR
apachetomcatMatch10.1.0milestone5
OR
apachetomcatMatch10.1.0milestone6
OR
apachetomcatMatch10.1.0milestone7
OR
apachetomcatMatch10.1.0milestone8
OR
apachetomcatMatch10.1.0milestone9
Node
debiandebian_linuxMatch10.0
OR
debiandebian_linuxMatch11.0
VendorProductVersionCPE
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone4::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone5::
apachetomcatcpe:/a:apache:tomcat::::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone3::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone9::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone10::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone2::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone6::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone7::
apachetomcat10.1.0cpe:/a:apache:tomcat:10.1.0:milestone11::
Rows per page:
1-10 of 131

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Tomcat",
    "versions": [
      {
        "version": "10.1.0-M1 to 10.1.0-M12",
        "status": "affected"
      },
      {
        "version": "10.0.0-M1 to 10.0.18",
        "status": "affected"
      },
      {
        "version": "9.0.0-M1 to 9.0.60",
        "status": "affected"
      },
      {
        "version": "8.5.0 to 8.5.77",
        "status": "affected"
      }
    ]
  }
]

Social References

More

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4

Confidence

High

EPSS

0.002

Percentile

58.5%