CVE-2021-43980

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-43980

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43980.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-43980

Aliases

Related

Published

2022-09-28T14:15:09Z

Modified

2024-09-11T04:50:52.853531Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

References

Affected packages

Debian:11 / tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.43-2~deb11u4

Affected versions

9.*

9.0.43-1

9.0.43-2~deb11u1

9.0.43-2~deb11u2

9.0.43-2~deb11u3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.62-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tomcat9

Package

Name: tomcat9
Purl: pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.62-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/tomcat

Affected ranges

Type: GIT
Repo: https://github.com/apache/tomcat
Events: Last affected

02d546ba3c553c74ff1a99ecc166a6ff9c501ba8

Last affected

049799677ba307378a256621bb1a7b03f597571c

Last affected

0e59fedb28df646930c5aff945159b64d7a52260

Last affected

0f3f1e439a040068b741d77777766722e4420ad6

Introduced

16bf392c67833ad549733b58c350ff92b5ee782a

Last affected

235730aed454e8d3619109f2c563587ff722e69d

Last affected

2a10c8d9110d7b1c7f526f3352648c6b19ba2c52

Introduced

e37b977db6f47e4380ad67114a49e8568951c953

Last affected

3931695e564dd4dd1dbf029026e900b74992408c

Last affected

51d1031c36c0f2b3ee1e0d14b56228a559144153

Introduced

4c8b650437e2464c1c31c6598a263b3805b7a81f

Last affected

70f59e8328621e58b9493c119f05a2e57f597a1c

Last affected

8778a44d6323c1066237043a89ab2f36696916b1

Last affected

cd53876fefaa370c31466b0f615e9ad026541a27

Last affected

d08498a3cefa7206bad791acf019455794f865ea

Last affected

dc3639dd7123301ced18dbf4ddf2dca93704870d

Last affected

e706972942e2c342e4a37baf5e2596f11e8a0e94

Last affected

f2ab9ac8bc3f40ee9b2cb50b030c99df927f0429