CVE-2021-43980
September 28, 2022
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Affected Packages
org.apache.tomcat:tomcat (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.62Fix Suggestion:
Update to version 9.0.62org.apache.tomcat:tomcat (JAVA):
Affected version(s) >=8.5.0 <8.5.78Fix Suggestion:
Update to version 8.5.78org.apache.tomcat:tomcat (JAVA):
Affected version(s) >=10.0.0-M1 <10.0.20Fix Suggestion:
Update to version 10.0.20org.apache.tomcat:tomcat (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.0-M14Fix Suggestion:
Update to version 10.1.0-M14Related Resources (14)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
EPSS
Base Score:
0.18
