CVE-2021-25122

Apache Tomcat h2c request mix-up

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Cuando se responde a nuevas peticiones de conexión h2c, Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0, versiones 9.0.0.M1 hasta 9.0.41 y versiones 8.5.0 hasta 8.5.61, podrían duplicar los encabezados de petición y una cantidad limitada del cuerpo de petición de una petición a otra, lo que significa que el usuario A y el usuario B podrían visualizar los resultados de la petición del usuario A

A flaw was found in Apache Tomcat. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. The highest threat from this vulnerability is to data confidentiality.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.5.0 serves as a replacement for Red Hat JBoss Web Server 5.4.2, and includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include a remote SQL injection vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-14 CVE Reserved
2021-03-01 CVE Published
2025-02-13 CVE Updated
2025-04-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (17)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/03/01/1	Mailing List
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cusers.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b%40%3Cusers.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947%40%3Cusers.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html	Mailing List
https://security.netapp.com/advisory/ntap-20210409-0002	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E	2023-11-07
https://security.gentoo.org/glsa/202208-34	2023-11-07
https://www.debian.org/security/2021/dsa-4891	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-25122	2022-07-07
https://bugzilla.redhat.com/show_bug.cgi?id=1934032	2022-07-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 8.5.0 <= 8.5.61 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.61"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 9.0.0 <= 9.0.41 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 <= 9.0.41"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone1		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone10		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone11		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone12		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone13		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone14		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone15		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone16		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone17		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone18		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone19		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone2		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone20		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone21		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone22		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone23		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone24		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone25		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone26		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone27		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone3		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone4		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"		milestone5		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone1		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone10		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone2		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone3		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone4		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone5		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone6		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone7		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone8		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				10.0.0 Search vendor "Apache" for product "Tomcat" and version "10.0.0"		milestone9		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.3 Search vendor "Oracle" for product "Agile Plm" and version "9.3.3"		-		Affected
Oracle Search vendor "Oracle"		Agile Plm Search vendor "Oracle" for product "Agile Plm"				9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Policy Search vendor "Oracle" for product "Communications Cloud Native Core Policy"				1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Policy" and version "1.14.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Security Edge Protection Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy"				1.6.0 Search vendor "Oracle" for product "Communications Cloud Native Core Security Edge Protection Proxy" and version "1.6.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Instant Messaging Server Search vendor "Oracle" for product "Communications Instant Messaging Server"				10.0.1.5.0 Search vendor "Oracle" for product "Communications Instant Messaging Server" and version "10.0.1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Database Search vendor "Oracle" for product "Database"				12.2.0.1 Search vendor "Oracle" for product "Database" and version "12.2.0.1"		enterprise		Affected
Oracle Search vendor "Oracle"		Database Search vendor "Oracle" for product "Database"				19c Search vendor "Oracle" for product "Database" and version "19c"		enterprise		Affected
Oracle Search vendor "Oracle"		Database Search vendor "Oracle" for product "Database"				21c Search vendor "Oracle" for product "Database" and version "21c"		enterprise		Affected
Oracle Search vendor "Oracle"		Graph Server And Client Search vendor "Oracle" for product "Graph Server And Client"				< 21.3.0 Search vendor "Oracle" for product "Graph Server And Client" and version " < 21.3.0"		-		Affected
Oracle Search vendor "Oracle"		Graph Server And Client Search vendor "Oracle" for product "Graph Server And Client"				21.3.0 Search vendor "Oracle" for product "Graph Server And Client" and version "21.3.0"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.1 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.2 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"		-		Affected
Oracle Search vendor "Oracle"		Managed File Transfer Search vendor "Oracle" for product "Managed File Transfer"				12.2.1.3.0 Search vendor "Oracle" for product "Managed File Transfer" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Managed File Transfer Search vendor "Oracle" for product "Managed File Transfer"				12.2.1.4.0 Search vendor "Oracle" for product "Managed File Transfer" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Mysql Enterprise Monitor Search vendor "Oracle" for product "Mysql Enterprise Monitor"				<= 8.0.23 Search vendor "Oracle" for product "Mysql Enterprise Monitor" and version " <= 8.0.23"		-		Affected
Oracle Search vendor "Oracle"		Siebel Ui Framework Search vendor "Oracle" for product "Siebel Ui Framework"				<= 21.9 Search vendor "Oracle" for product "Siebel Ui Framework" and version " <= 21.9"		-		Affected