CVE-2021-25329

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
apachetomcat
7.0.0 ≤
𝑥
≤ 7.0.107
apachetomcat
8.5.0 ≤
𝑥
≤ 8.5.61
apachetomcat
9.0.0 ≤
𝑥
≤ 9.0.41
apachetomcat
9.0.0:milestone1
apachetomcat
9.0.0:milestone10
apachetomcat
9.0.0:milestone11
apachetomcat
9.0.0:milestone12
apachetomcat
9.0.0:milestone13
apachetomcat
9.0.0:milestone14
apachetomcat
9.0.0:milestone15
apachetomcat
9.0.0:milestone16
apachetomcat
9.0.0:milestone17
apachetomcat
9.0.0:milestone18
apachetomcat
9.0.0:milestone19
apachetomcat
9.0.0:milestone2
apachetomcat
9.0.0:milestone20
apachetomcat
9.0.0:milestone21
apachetomcat
9.0.0:milestone22
apachetomcat
9.0.0:milestone23
apachetomcat
9.0.0:milestone24
apachetomcat
9.0.0:milestone25
apachetomcat
9.0.0:milestone26
apachetomcat
9.0.0:milestone27
apachetomcat
9.0.0:milestone3
apachetomcat
9.0.0:milestone4
apachetomcat
9.0.0:milestone5
apachetomcat
9.0.0:milestone6
apachetomcat
9.0.0:milestone7
apachetomcat
9.0.0:milestone8
apachetomcat
9.0.0:milestone9
apachetomcat
10.0.0
apachetomcat
10.0.0:milestone1
apachetomcat
10.0.0:milestone10
apachetomcat
10.0.0:milestone2
apachetomcat
10.0.0:milestone3
apachetomcat
10.0.0:milestone4
apachetomcat
10.0.0:milestone5
apachetomcat
10.0.0:milestone6
apachetomcat
10.0.0:milestone7
apachetomcat
10.0.0:milestone8
apachetomcat
10.0.0:milestone9
debiandebian_linux
9.0
debiandebian_linux
10.0
oracleagile_plm
9.3.3
oracleagile_plm
9.3.6
oraclecommunications_cloud_native_core_policy
1.14.0
oraclecommunications_cloud_native_core_security_edge_protection_proxy
1.6.0
oraclecommunications_instant_messaging_server
10.0.1.5.0
oracledatabase
12.2.0.1
oraclegraph_server_and_client
𝑥
< 21.3.0
oracleinstantis_enterprisetrack
17.1
oracleinstantis_enterprisetrack
17.2
oracleinstantis_enterprisetrack
17.3
oraclemanaged_file_transfer
12.2.1.3.0
oraclemanaged_file_transfer
12.2.1.4.0
oraclemysql_enterprise_monitor
𝑥
≤ 8.0.23
oraclesiebel_ui_framework
𝑥
< 21.9
oraclesiebel_ui_framework
21.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
fixed
stretch
ignored
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
needs-triage
trusty
needs-triage
tomcat7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
Fixed 7.0.78-1ubuntu0.1~esm1
released
xenial
Fixed 7.0.68-1ubuntu0.4+esm2
released
trusty
Fixed 7.0.52-1ubuntu0.16+esm1
released
tomcat8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
dne
tomcat9
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
Fixed 9.0.31-1ubuntu0.2
released
bionic
Fixed 9.0.16-3ubuntu0.18.04.2
released
xenial
dne
trusty
dne
References
http://www.openwall.com/lists/oss-security/2021/03/01/2
https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20210409-0002/
https://www.debian.org/security/2021/dsa-4891
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
http://www.openwall.com/lists/oss-security/2021/03/01/2
https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20210409-0002/
https://www.debian.org/security/2021/dsa-4891
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html