CVE-2021-25122
Summary
| CVE | CVE-2021-25122 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-03-01 12:15:00 UTC |
| Updated | 2023-11-07 03:31:00 UTC |
| Description | When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 10.0.0 | - | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | - | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.3 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.6 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 1.14.0 | All | All | All |
| Application | Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.6.0 | All | All | All |
| Application | Oracle | Communications Instant Messaging Server | 10.0.1.5.0 | All | All | All |
| Application | Oracle | Database | 12.2.0.1 | All | All | All |
| Application | Oracle | Database | 19c | All | All | All |
| Application | Oracle | Database | 21c | All | All | All |
| Application | Oracle | Graph Server And Client | All | All | All | All |
| Application | Oracle | Graph Server And Client | 21.3.0 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
| Application | Oracle | Managed File Transfer | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Managed File Transfer | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Siebel Ui Framework | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| [announce] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Vendor Advisory |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| [tomcat-dev] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | CONFIRM | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Debian -- Security Information -- DSA-4891-1 tomcat9 | DEBIAN | www.debian.org | |
| [tomcat-users] 20210305 RE: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up | lists.apache.org | ||
| March 2021 Apache Tomcat Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] [DLA 2596-1] tomcat8 security update | MLIST | lists.debian.org | |
| Apache Tomcat: Multiple Vulnerabilities (GLSA 202208-34) — Gentoo security | GENTOO | security.gentoo.org | |
| [tomcat-users] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up | lists.apache.org | ||
| oss-security - CVE-2021-25122: Apache Tomcat h2c request mix-up | MLIST | www.openwall.com | Mailing List, Third Party Advisory |
| [tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml | lists.apache.org | ||
| [tomcat-users] 20210305 Re: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 150452 Apache Tomcat h2c request mix-up vulnerability (CVE-2021-25122)
- 174905 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:0988-1)
- 174906 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:0989-1)
- 174912 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:1009-1)
- 174941 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:1008-1)
- 178492 Debian Security Update for tomcat8 (DLA 2596-1)
- 178533 Debian Security Update for tomcat9 (DSA 4891-1)
- 179657 Debian Security Update for tomcat9 (CVE-2021-25122)
- 198724 Ubuntu Security Notification for Tomcat Vulnerabilities (USN-5360-1)
- 20232 Oracle Database 21c Critical Patch Update - October 2021
- 20233 Oracle Database 19c Critical Patch Update - October 2021
- 20234 Oracle Database 12.2.0.1 Critical Patch Update - October 2021
- 20235 Oracle Database 12.2.0.1 Critical Patch Update - October 2021 (Unauthenticated)
- 20270 Oracle Database 21c Critical Patch Update - October 2022
- 20271 Oracle Database 19c Critical Patch Update - October 2022
- 20272 Oracle Database 19c Critical OJVM Patch Update - October 2022
- 20276 Oracle Database 19c Critical OJVM Patch Update - October 2021
- 20290 Oracle Database 12.2.0.1 Critical OJVM Patch Update - October 2021
- 239760 Red Hat Update for red hat jboss web server 5.5.0 (RHSA-2021:2561)
- 352256 Amazon Linux Security Advisory for tomcat8: ALAS-2021-1491
- 356300 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-009
- 670333 EulerOS Security Update for tomcat (EulerOS-SA-2021-1891)
- 710609 Gentoo Linux Apache Tomcat Multiple Vulnerabilities (GLSA 202208-34)
- 730041 Apache Tomcat Duplicate Request Headers Vulnerabilities
- 730042 Apache Tomcat Duplicate Request Headers Vulnerabilities
- 730059 Atlassian Jira Server Multiple Security Vulnerabilities(JRASERVER-72211)
- 730470 Atlassian Confluence Tomcat Vulnerability (CONFSERVER-62837)
- 730656 Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)
- 730662 Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)
- 730668 Apache Tomcat Request mix-up with h2c Vulnerability (CVE-2021-25122)
- 750285 OpenSUSE Security Update for tomcat (openSUSE-SU-2021:0496-1)
- 980337 Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-j39c-c8hj-x4j3)