CVE-2021-43980

CWE-362 — Race Condition8 documents7 sources

Severity

3.7LOW

EPSS

0.2%

top 51.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat Debian Debian Linux

Timeline

PublishedSep 28

Latest updateSep 29

Description

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat8.5.0 — 8.5.78+3

▶NVDapache/tomcat8.5.0 — 8.5.77+3

▶CVEListV5apache_software_foundation/apache_tomcat4 versions+3

▶Debiantomcat9< 9.0.43-2~deb11u4+3

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

GHSA

Apache Tomcat Race Condition vulnerability↗2022-09-29

▶

OSV

Apache Tomcat Race Condition vulnerability↗2022-09-29

▶

CVEList

Apache Tomcat: Information disclosure↗2022-09-28

▶

OSV

CVE-2021-43980: The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9↗2022-09-28

▶

📋Vendor Advisories

Red Hat

Tomcat: Information disclosure↗2022-09-28

▶

Debian

CVE-2021-43980: tomcat9 - The simplified implementation of blocking reads and writes introduced in Tomcat ...↗2021

▶

Apache

Apache tomcat: CVE-2021-43980↗

▶