CVE-2021-25122
Published Mar 1, 2021
Last updated a year ago
Overview
- Description
- When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
- Source
- security@apache.org
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B4ABB491-6750-457E-B5A4-67C1146CB15F",
"versionEndIncluding": "8.5.61",
"versionStartIncluding": "8.5.0"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A9DFCBAF-1583-4C2F-8776-76F4DCB582B5",
"versionEndIncluding": "9.0.41",
"versionStartIncluding": "9.0.0"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DA7CC5E9-3631-4073-84C8-2C12D90686CB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "83B9FF07-1B93-4F8C-AC56-7CA74E61B724"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "94B95C95-DF3E-49C1-9CA0-4474DD7EF7B8"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "310B0163-01DE-40DA-A2EA-FFA4A6100037"
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "75420449-A951-4133-A5F1-4C01F2DF843B"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D"
},
{
"criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2"
},
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E"
},
{
"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "45E5C9B0-AB25-4744-88E4-FD0C4A853001"
},
{
"criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C4A94B36-479F-48F2-9B9E-ACEA2589EF48"
},
{
"criteria": "cpe:2.3:a:oracle:database:12.2.0.1:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "46E7237C-00BD-4490-96C3-A8EAE4CE2C0B"
},
{
"criteria": "cpe:2.3:a:oracle:database:19c:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C1E05472-8F3A-4E46-90E5-50EA6D555FDC"
},
{
"criteria": "cpe:2.3:a:oracle:database:21c:*:*:*:enterprise:*:*:*",
"vulnerable": true,
"matchCriteriaId": "02E34416-E767-4F61-8D2C-0D0202351F91"
},
{
"criteria": "cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "38532AE4-9C9F-4182-A791-FCD2BE27DEA6",
"versionEndExcluding": "21.3.0"
},
{
"criteria": "cpe:2.3:a:oracle:graph_server_and_client:21.3.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "715F9279-F31E-4CC0-A105-95A008EACBA6"
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4"
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4"
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3"
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2"
},
{
"criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1"
},
{
"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F48F2267-61EA-4F12-ADE9-85CB6F6B290E",
"versionEndIncluding": "8.0.23"
},
{
"criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "90605BF7-9C9B-4AC2-83B6-3666C5A15D43",
"versionEndIncluding": "21.9"
}
],
"operator": "OR"
}
]
}
]