3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
0.002 Low
EPSS
Percentile
58.5%
Note: The issue below was fixed in Apache Tomcat 9.0.61 but the release vote for the 9.0.61 release candidate did not pass. Therefore, although users must download 9.0.62 to obtain a version that includes a fix for these issues, version 9.0.61 is not included in the list of affected versions.
High: Information Disclosure CVE-2021-43980
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
This was fixed with commit 170e0f79.
This issue was reported to the Apache Tomcat Security team by Adam Thomas, Richard Hernandez and Ryan Schmitt on 11 November 2021. The issue was made public on 28 September 2022.
Affects: 9.0.0-M1 to 9.0.60
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 9.0.0-M1 | |
apache tomcat | le | 9.0.60 |
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
0.002 Low
EPSS
Percentile
58.5%