CVE-2021-25329

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Published: Mar 1, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-25329
GHSA: GHSA-jgwr-3qm3-26f3
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.4
AV:L/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
apache / tomcat	9.0.0-milestone1	9.0.0-milestone1.x
apache / tomcat	9.0.0-milestone10	9.0.0-milestone10.x
apache / tomcat	9.0.0-milestone11	9.0.0-milestone11.x
apache / tomcat	9.0.0-milestone12	9.0.0-milestone12.x
apache / tomcat	9.0.0-milestone13	9.0.0-milestone13.x
apache / tomcat	9.0.0-milestone14	9.0.0-milestone14.x
apache / tomcat	9.0.0-milestone15	9.0.0-milestone15.x
apache / tomcat	9.0.0-milestone16	9.0.0-milestone16.x
apache / tomcat	9.0.0-milestone17	9.0.0-milestone17.x
apache / tomcat	9.0.0-milestone18	9.0.0-milestone18.x
apache / tomcat	9.0.0-milestone19	9.0.0-milestone19.x
apache / tomcat	9.0.0-milestone2	9.0.0-milestone2.x
apache / tomcat	9.0.0-milestone20	9.0.0-milestone20.x
apache / tomcat	9.0.0-milestone21	9.0.0-milestone21.x
apache / tomcat	9.0.0-milestone22	9.0.0-milestone22.x
apache / tomcat	9.0.0-milestone23	9.0.0-milestone23.x
apache / tomcat	9.0.0-milestone24	9.0.0-milestone24.x
apache / tomcat	9.0.0-milestone25	9.0.0-milestone25.x
apache / tomcat	9.0.0-milestone26	9.0.0-milestone26.x
apache / tomcat	9.0.0-milestone27	9.0.0-milestone27.x
apache / tomcat	9.0.0-milestone3	9.0.0-milestone3.x
apache / tomcat	9.0.0-milestone4	9.0.0-milestone4.x
apache / tomcat	9.0.0-milestone5	9.0.0-milestone5.x
apache / tomcat	9.0.0-milestone6	9.0.0-milestone6.x
apache / tomcat	9.0.0-milestone7	9.0.0-milestone7.x
apache / tomcat	9.0.0-milestone8	9.0.0-milestone8.x
apache / tomcat	9.0.0-milestone9	9.0.0-milestone9.x
apache / tomcat	10.0.0-milestone3	10.0.0-milestone3.x
apache / tomcat	10.0.0-milestone4	10.0.0-milestone4.x
apache / tomcat	10.0.0-milestone2	10.0.0-milestone2.x
apache / tomcat	10.0.0-milestone1	10.0.0-milestone1.x
apache / tomcat	10.0.0-milestone5	10.0.0-milestone5.x
apache / tomcat	10.0.0-milestone6	10.0.0-milestone6.x
apache / tomcat	10.0.0-milestone7	10.0.0-milestone7.x
apache / tomcat	10.0.0-milestone8	10.0.0-milestone8.x
apache / tomcat	10.0.0-milestone9	10.0.0-milestone9.x
apache / tomcat	9.0.0	9.0.41.x
apache / tomcat	8.5.0	8.5.61.x
apache / tomcat	10.0.0-milestone10	10.0.0-milestone10.x
apache / tomcat	10.0.0	10.0.0.x
apache / tomcat	7.0.0	7.0.107.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
oracle / managed_file_transfer	12.2.1.3.0	12.2.1.3.0.x
oracle / instantis_enterprisetrack	17.1	17.1.x
oracle / instantis_enterprisetrack	17.2	17.2.x
oracle / instantis_enterprisetrack	17.3	17.3.x
oracle / agile_plm	9.3.3	9.3.3.x
oracle / agile_plm	9.3.6	9.3.6.x
oracle / database	12.2.0.1	12.2.0.1.x
oracle / database	19c	19c.x
oracle / managed_file_transfer	12.2.1.4.0	12.2.1.4.0.x
oracle / siebel_ui_framework	-	21.9
oracle / mysql_enterprise_monitor	-	8.0.23.x
oracle / graph_server_and_client	-	21.3.0
oracle / database	21c	21c.x
oracle / siebel_ui_framework	21.9	21.9.x
oracle / communications_cloud_native_core_policy	1.14.0	1.14.0.x
oracle / communications_instant_messaging_server	10.0.1.5.0	10.0.1.5.0.x
oracle / communications_cloud_native_core_security_edge_protection_proxy	1.6.0	1.6.0.x
org.apache.tomcat.embed / tomcat-embed-core	10.0.0-M1	10.0.2
org.apache.tomcat.embed / tomcat-embed-core	9.0.0	9.0.41
org.apache.tomcat.embed / tomcat-embed-core	8.0.0	8.5.61
org.apache.tomcat.embed / tomcat-embed-core	7.0.0	7.0.108

Vulnerability Database

289,599

CVE-2021-25329