CVE-2021-25329
published 2021-03-01CVE-2021-25329: The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a…
high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | 7.0.0 – 7.0.107 | — |
| apache | tomcat | 8.5.0 – 8.5.61 | — |
| apache | tomcat | 9.0.0 – 9.0.41 | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tomcat9 | < tomcat9 9.0.43-1 (bookworm) | tomcat9 9.0.43-1 (bookworm) |
| oracle | agile_plm | — | — |
| oracle | agile_plm | — | — |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | — | — |
| oracle | communications_instant_messaging_server | — | — |
| oracle | database | — | — |
| oracle | database | — | — |
| oracle | database | — | — |
| oracle | graph_server_and_client | < 21.3.0 | 21.3.0 |
| oracle | instantis_enterprisetrack | — | — |
| oracle | instantis_enterprisetrack | — | — |
| oracle | instantis_enterprisetrack | — | — |
| oracle | managed_file_transfer | — | — |
| oracle | managed_file_transfer | — | — |
| oracle | mysql_enterprise_monitor | <= 8.0.23 | — |
| oracle | siebel_ui_framework | < 21.9 | 21.9 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa7.0HIGH
osv7.0HIGH