CVE-2021-43980
Public on 2022-09-28
Modified on 2024-05-01
Description
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | tomcat | Not Affected | ||
| Amazon Linux 2 - Tomcat8.5 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT8.5-2023-013 | Fixed |
| Amazon Linux 2 - Tomcat9 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT9-2023-005 | Fixed |
| Amazon Linux 1 | tomcat8 | 2023-04-13 | ALAS-2023-1732 | Fixed |
| Amazon Linux 2023 | tomcat9 | 2023-04-27 | ALAS2023-2023-176 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |