CVE-2021-25122

HIGH

Apache Tomcat <10.0.0,9.0.41,8.5.61 - Info Disclosure

Title source: llm
STIX 2.1

Description

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

References (15)

Core 15
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/03/01/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4891
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210409-0002/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202208-34

Scores

CVSS v3 7.5
EPSS 0.0278
EPSS Percentile 86.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (18)
apache/tomcat 9.0.0 milestone1 (23 CPE variants)
apache/tomcat 10.0.0 (11 CPE variants)
apache/tomcat 8.5.0 - 8.5.61
debian/debian_linux 9.0
debian/debian_linux 10.0
oracle/agile_plm 9.3.3
oracle/agile_plm 9.3.6
oracle/communications_cloud_native_core_policy 1.14.0
oracle/communications_cloud_native_core_security_edge_protection_proxy 1.6.0
oracle/communications_instant_messaging_server 10.0.1.5.0
... and 8 more
Published Mar 01, 2021
Tracked Since Feb 18, 2026