Low severityNVD Advisory· Published Sep 28, 2022· Updated May 21, 2025
Apache Tomcat: Information disclosure
CVE-2021-43980
Description
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.78 | 8.5.78 |
org.apache.tomcat:tomcatMaven | >= 9.0.0-M1, < 9.0.62 | 9.0.62 |
org.apache.tomcat:tomcatMaven | >= 10.0.0-M1, < 10.0.20 | 10.0.20 |
org.apache.tomcat:tomcatMaven | >= 10.1.0-M1, < 10.1.0-M14 | 10.1.0-M14 |
Affected products
19- osv-coords18 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
>= 8.5.0, < 8.5.78+ 17 more
- (no CPE)range: >= 8.5.0, < 8.5.78
- (no CPE)range: >= 8.5.0, < 8.5.78
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.43-11.1
- (no CPE)range: < 9.0.36-150100.4.81.1
- (no CPE)range: < 9.0.36-150100.4.81.1
- (no CPE)range: < 9.0.36-150100.4.81.1
- (no CPE)range: < 9.0.36-150000.3.101.2
- (no CPE)range: < 9.0.36-150000.3.101.2
- (no CPE)range: < 9.0.36-3.90.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.81.1
- (no CPE)range: < 9.0.36-150100.4.81.1
- (no CPE)range: < 9.0.36-150000.3.101.2
- (no CPE)range: < 9.0.36-3.90.1
- (no CPE)range: < 9.0.36-150000.3.101.2
- (no CPE)range: < 9.0.36-150100.4.81.1
- (no CPE)range: < 9.0.115-3.160.1
- Apache Software Foundation/Apache Tomcatv5Range: 10.1.0-M1 to 10.1.0-M12
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-jx7c-7mj5-9438ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43980ghsaADVISORY
- www.debian.org/security/2022/dsa-5265ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2022/09/28/1ghsamailing-listWEB
- github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1ghsaWEB
- github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13ghsaWEB
- github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119bebghsaWEB
- github.com/apache/tomcat/commit/9651b83a1d04583791525e5f0c4c9089f678d9fcghsaWEB
- lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3ghsaWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00029.htmlghsamailing-listWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
0No linked articles in our index yet.