CVE-2021-25122 (High) detected in tomcat-embed-core-8.5.57.jar
Closed this issue · 1 comments
CVE-2021-25122 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.57.jar
Core Tomcat implementation
Path to dependency file: api/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.57/tomcat-embed-core-8.5.57.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.5.22.RELEASE.jar
- ❌ tomcat-embed-core-8.5.57.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.5.22.RELEASE.jar
Found in HEAD commit: 37b603a7212a01a6b2bb0dd83fcfc64834928d71
Found in base branch: master
Vulnerability Details
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
Publish Date: 2021-03-01
URL: CVE-2021-25122
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-01
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:8.5.62,9.0.42,10.0.2;org.apache.tomcat:tomcat-coyote:8.5.62,9.0.42,10.0.2
Step up your Open Source Security Game with WhiteSource here
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.