OESA-2021-1117
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1117
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2021-1117.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2021-1117
- Upstream
- Published
- 2021-04-07T11:02:46Z
- Modified
- 2025-08-12T05:07:39.690715Z
- Summary
- tomcat security update
- Details
-
The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project
Security Fix(es):
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.(CVE-2021-25329)
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.(CVE-2021-25122)
- Database specific
{ "severity": "High" }- References