Vulnerability Description
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | >= 8.5.0, <= 8.5.77 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/09/28/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3Mailing ListVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2022/dsa-5265Third Party Advisory
- http://www.openwall.com/lists/oss-security/2022/09/28/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3Mailing ListVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2022/dsa-5265Third Party Advisory
FAQ
What is CVE-2021-43980?
CVE-2021-43980 is a vulnerability with a CVSS score of 3.7 (LOW). The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in A...
How severe is CVE-2021-43980?
CVE-2021-43980 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43980?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux.