CVE-2021-43980

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Published: Sep 28, 2022
Updated: May 9, 2024
CVE: CVE-2021-43980
GHSA: GHSA-jx7c-7mj5-9438
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.7
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-362

Affected Software
References

Software	From	Fixed in
apache / tomcat	10.1.0-milestone3	10.1.0-milestone3.x
apache / tomcat	10.1.0-milestone4	10.1.0-milestone4.x
apache / tomcat	10.1.0-milestone5	10.1.0-milestone5.x
apache / tomcat	10.1.0-milestone1	10.1.0-milestone1.x
apache / tomcat	10.1.0-milestone2	10.1.0-milestone2.x
apache / tomcat	10.1.0-milestone7	10.1.0-milestone7.x
apache / tomcat	10.1.0-milestone8	10.1.0-milestone8.x
apache / tomcat	10.1.0-milestone9	10.1.0-milestone9.x
apache / tomcat	10.1.0-milestone6	10.1.0-milestone6.x
apache / tomcat	10.1.0-milestone10	10.1.0-milestone10.x
apache / tomcat	10.1.0-milestone11	10.1.0-milestone11.x
apache / tomcat	10.1.0-milestone12	10.1.0-milestone12.x
apache / tomcat	8.5.0	8.5.77.x
apache / tomcat	9.0.0	9.0.60.x
apache / tomcat	10.0.0	10.0.18.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
org.apache.tomcat / tomcat	8.5.0	8.5.78
org.apache.tomcat / tomcat	9.0.0-M1	9.0.62
org.apache.tomcat / tomcat	10.0.0-M1	10.0.20
org.apache.tomcat / tomcat	10.1.0-M1	10.1.0-M14

Vulnerability Database

289,598

CVE-2021-43980