CVE-2021-25122 — HIGH (7.5)

Q: How severe is CVE-2021-25122?

CVE-2021-25122 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-25122?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Agile Plm, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy.

Vulnerability Description

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 8.5.0, <= 8.5.61
Debian	Debian Linux	9.0
Oracle	Agile Plm	9.3.3
Oracle	Communications Cloud Native Core Policy	1.14.0
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	1.6.0
Oracle	Communications Instant Messaging Server	10.0.1.5.0
Oracle	Database	12.2.0.1
Oracle	Graph Server And Client	< 21.3.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Managed File Transfer	12.2.1.3.0
Oracle	Mysql Enterprise Monitor	<= 8.0.23
Oracle	Siebel Ui Framework	<= 21.9

Related Weaknesses (CWE)

CWE-200

References

http://www.openwall.com/lists/oss-security/2021/03/01/1Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296Mailing ListVendor Advisory
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296Mailing ListVendor Advisory
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296
https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297
https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c23
https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210409-0002/Third Party Advisory
https://www.debian.org/security/2021/dsa-4891Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2021-25122?

CVE-2021-25122 is a vulnerability with a CVSS score of 7.5 (HIGH). When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body ...

How severe is CVE-2021-25122?

CVE-2021-25122 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-25122?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Oracle Agile Plm, Oracle Communications Cloud Native Core Policy, Oracle Communications Cloud Native Core Security Edge Protection Proxy.