Skip to content
This repository has been archived by the owner on Jun 16, 2023. It is now read-only.

CVE-2021-43980 (Low) detected in tomcat-embed-core-8.5.68.jar, tomcat-embed-core-9.0.48.jar #30

Open
mend-bolt-for-github bot opened this issue Sep 30, 2022 · 0 comments
Open

CVE-2021-43980 (Low) detected in tomcat-embed-core-8.5.68.jar, tomcat-embed-core-9.0.48.jar #30

mend-bolt-for-github bot opened this issue Sep 30, 2022 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Sep 30, 2022
edited
Loading

CVE-2021-43980 - Low Severity Vulnerability

Vulnerable Libraries - tomcat-embed-core-8.5.68.jar, tomcat-embed-core-9.0.48.jar

tomcat-embed-core-8.5.68.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.68/ce25d8bd7cb99e5cb92a361e9927b99c85968f15/tomcat-embed-core-8.5.68.jar

Dependency Hierarchy:

  • gretty-runner-tomcat85-3.0.5.jar (Root Library)
    • tomcat-embed-core-8.5.68.jar (Vulnerable Library)
tomcat-embed-core-9.0.48.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.48/f112cd2380d8215e22ac40aff128a1b6daa2f0ac/tomcat-embed-core-9.0.48.jar

Dependency Hierarchy:

  • gretty-runner-tomcat9-3.0.5.jar (Root Library)
    • tomcat-embed-core-9.0.48.jar (Vulnerable Library)

Found in HEAD commit: 4cb9afca7b4ab356e0863ec7515cb10a779ea02d

Found in base branch: master

Vulnerability Details

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Publish Date: 2022-09-28

URL: CVE-2021-43980

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Release Date: 2022-09-28

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.78,9.0.62,10.0.20,10.1.0-M14

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Sep 30, 2022
@mend-bolt-for-github mend-bolt-for-github bot changed the title CVE-2021-43980 (High) detected in tomcat-embed-core-8.5.68.jar, tomcat-embed-core-9.0.48.jar CVE-2021-43980 (Low) detected in tomcat-embed-core-8.5.68.jar, tomcat-embed-core-9.0.48.jar Jan 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants