CVE-2021-43980

LOW

Apache Tomcat < 8.5.77 - Race Condition

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-43980. PoCs published by dbolkensteyn.

AI-analyzed exploit summary The repository contains only a generic GitLab README template and a CI configuration file, with no actual exploit code or technical details related to CVE-2021-43980.

Description

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Exploits (1)

gitlab STUB

by dbolkensteyn · poc

https://gitlab.com/dbolkensteyn/cve-2021-43980

View Code ZIP pw:eip

The repository contains only a generic GitLab README template and a CI configuration file, with no actual exploit code or technical details related to CVE-2021-43980.

Classification

Stub 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Core References

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2022/09/28/1

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html

Third Party Advisory vendor-advisory

https://www.debian.org/security/2022/dsa-5265

Mailing List, Vendor Advisory

https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Scores

CVSS v3 3.7

EPSS 0.0020

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (5)

apache/tomcat 10.1.0 milestone1 (12 CPE variants)

apache/tomcat 8.5.0 - 8.5.77

debian/debian_linux 10.0

debian/debian_linux 11.0

org.apache.tomcat/tomcat 8.5.0 - 8.5.78Maven

Published Sep 28, 2022

Tracked Since Feb 18, 2026