CVE-2021-25122 h2c request mix-up

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61

When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 10.0.2 or later
- Upgrade to Apache Tomcat 9.0.43 or later
- Upgrade to Apache Tomcat 8.5.63 or later

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass.

This issue was identified by the Apache Tomcat Security Team.

2021-03-01 Original advisory


Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to