QwikSec

Security Database

CVE

CWE

Training

CVE-2021-25122

Published: Mar 1, 2021

Modified: Feb 13, 2025

PUBLISHED

Description

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Vendor	Product	Versions
Apache Software Foundation	Apache Tomcat	affected `Apache Tomcat 10 - < 10.0.2` affected `Apache Tomcat 9 - < 9.0.42` affected `Apache Tomcat 8.5 - < 8.5.62`

Weaknesses (CWE)

References

https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E

x_refsource_MISC

[tomcat-announce] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[tomcat-users] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[tomcat-dev] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

mailing-list

x_refsource_MLIST

[announce] 20210301 [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[oss-security] 20210301 CVE-2021-25122: Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[tomcat-users] 20210305 RE: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[tomcat-users] 20210305 Re: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

mailing-list

x_refsource_MLIST

[debian-lts-announce] 20210316 [SECURITY] [DLA 2596-1] tomcat8 security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

https://www.oracle.com//security-alerts/cpujul2021.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210409-0002/

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujan2022.html

x_refsource_MISC

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.