7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.922 High
EPSS
Percentile
98.9%
Note: The issues below were fixed in Apache Tomcat 9.0.42 but the release vote for the 9.0.42 release candidate did not pass. Therefore, although users must download 9.0.43 to obtain a version that includes a fix for these issues, version 9.0.42 is not included in the list of affected versions.
Low: Fix for CVE-2020-9484 was incomplete CVE-2021-25329
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue.
This was fixed with commit 4785433a.
This issue was reported to the Apache Tomcat Security team by Trung Pham of Viettel Cyber Security on 12 January 2021. The issue was made public on 1 March 2021.
Affects: 9.0.0.M1 to 9.0.41
Important: Request mix-up with h2c CVE-2021-25122
When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A’s request.
This was fixed with commit d47c20a7.
This issue was identified by the Apache Tomcat Security team on 11 January 2021. The issue was made public on 1 March 2021.
Affects: 9.0.0.M1 to 9.0.41
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 9.0.0.M1 | |
apache tomcat | le | 9.0.41 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.922 High
EPSS
Percentile
98.9%