Lucene search

K

Redhat.comRH:CVE-2021-43980

HistorySep 28, 2022 - 3:18 p.m.

CVE-2021-43980

2022-09-2815:18:54

redhat.com

access.redhat.com

25

apache tomcat

concurrency bug

client connections

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.002

Percentile

58.5%

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

References

bugzilla.redhat.com/show_bug.cgi?id=2130599

nvd.nist.gov/vuln/detail/CVE-2021-43980

www.cve.org/CVERecord?id=CVE-2021-43980

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.002

Percentile

58.5%

Related for RH:CVE-2021-43980

nessus19 github1 osv7 debiancve1 openvas8 ibm8 prion1 tomcat4 kaspersky1 veracode1 cvelist1 ubuntucve1 f51 nvd1 cve1 amazon1 redhat2 debian2 mageia1 rosalinux1