Lucene search

[email protected]CVE-2021-43980

HistorySep 28, 2022 - 2:15 p.m.

CVE-2021-43980

2022-09-2814:15:09

CWE-362

[email protected]

web.nvd.nist.gov

203

cve

2021

43980

tomcat

apache

nvd

concurrency

bug

security

vulnerability

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.4%

JSON

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Affected configurations

Vulners

NVD

Node

apachetomcatRange10.1.0-M1–10.1.0-M12

apachetomcatRange10.0.0-M1–10.0.18

apachetomcatRange9.0.0-M1–9.0.60

apachetomcatRange8.5.0–8.5.77

CPENameOperatorVersion
apache:tomcatapache tomcatle8.5.77
apache:tomcatapache tomcatle9.0.60
apache:tomcatapache tomcatle10.0.18
apache:tomcatapache tomcateq10.1.0

CPE	Name	Operator	Version
apache:tomcat	apache tomcat	le	8.5.77
apache:tomcat	apache tomcat	le	9.0.60
apache:tomcat	apache tomcat	le	10.0.18
apache:tomcat	apache tomcat	eq	10.1.0

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Tomcat",
    "versions": [
      {
        "version": "10.1.0-M1 to 10.1.0-M12",
        "status": "affected"
      },
      {
        "version": "10.0.0-M1 to 10.0.18",
        "status": "affected"
      },
      {
        "version": "9.0.0-M1 to 9.0.60",
        "status": "affected"
      },
      {
        "version": "8.5.0 to 8.5.77",
        "status": "affected"
      }
    ]
  }
]