High severityNVD Advisory· Published Mar 1, 2021· Updated Feb 13, 2025
Incomplete fix for CVE-2020-9484
CVE-2021-25329
Description
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.0.0-M1, < 10.0.2 | 10.0.2 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0, < 9.0.41 | 9.0.41 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.0.0, < 8.5.61 | 8.5.61 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 7.0.0, < 7.0.108 | 7.0.108 |
Affected products
38- osv-coords37 versionspkg:apk/chainguard/spark-3.5.0-compatpkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 3.5.0-r2+ 36 more
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: >= 7.0.0, < 7.0.108
- (no CPE)range: >= 10.0.0-M1, < 10.0.2
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-lp152.2.22.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 6.0.53-0.57.19.1
- (no CPE)range: < 6.0.53-0.57.19.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-3.79.1
- (no CPE)range: < 9.0.36-3.79.1
- (no CPE)range: < 9.0.36-3.24.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 9.0.36-3.64.1
- (no CPE)range: < 9.0.36-3.64.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-3.79.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 9.0.36-3.64.1
- (no CPE)range: < 9.0.36-3.64.1
- (no CPE)range: < 9.0.36-3.79.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 9.0.36-4.58.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 9.0.36-3.64.1
- (no CPE)range: < 8.0.53-29.46.1
- (no CPE)range: < 9.0.36-3.64.1
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 10
Patches
Vulnerability mechanics
References
30- github.com/advisories/GHSA-jgwr-3qm3-26f3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25329ghsaADVISORY
- security.gentoo.org/glsa/202208-34ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-4891ghsavendor-advisoryx_refsource_DEBIANWEB
- www.openwall.com/lists/oss-security/2021/03/01/2ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4ghsaWEB
- lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/03/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20210409-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210409-0002/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.