Fixed in Apache Tomcat 10.1.0-M14

Note: The issue below was fixed in Apache Tomcat 10.1.0-M13 but the release vote for the 10.1.0-M13 release candidate did not pass. Therefore, although users must download 10.1.0-M14 to obtain a version that includes a fix for these issues, version 10.1.0-M13 is not included in the list of affected versions.

High: Information Disclosure CVE-2021-43980

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

This was fixed with commit 9651b83a.

This issue was reported to the Apache Tomcat Security team by Adam Thomas, Richard Hernandez and Ryan Schmitt on 11 November 2021. The issue was made public on 28 September 2022.

Affects: 10.1.0-M1 to 10.1.0-M12