CVE-2021-43980

LOW

Apache Tomcat < 8.5.77 - Race Condition

Title source: rule

Description

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Exploits (1)

gitlab STUB

by dbolkensteyn · poc

https://gitlab.com/dbolkensteyn/cve-2021-43980

View Code ZIP pw:eip

References (4)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/09/28/1

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5265

Scores

CVSS v3 3.7

EPSS 0.0025

EPSS Percentile 48.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-362

Status published

Products (5)

apache/tomcat 10.1.0 milestone1 (12 CPE variants)

apache/tomcat 8.5.0 - 8.5.77

debian/debian_linux 10.0

debian/debian_linux 11.0

org.apache.tomcat/tomcat 8.5.0 - 8.5.78Maven

Published Sep 28, 2022

Tracked Since Feb 18, 2026