CVE-2021-25122 h2c request mix-up Severity: Important
Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description:When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or laterNote that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass.
Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html
OpenPGP_signature
Description: OpenPGP digital signature