QwikSec

Security Database

CVE

CWE

Training

CVE-2021-25329

Published: Mar 1, 2021

Modified: Feb 13, 2025

PUBLISHED

Description

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Vendor	Product	Versions
Apache Software Foundation	Apache Tomcat	affected `Apache Tomcat 10 - < 10.0.0` affected `Apache Tomcat 9 - < 9.0.41` affected `Apache Tomcat 8.5 - < 8.5.61` affected `Apache Tomcat 7 - < 7.0.107`

References

https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E

x_refsource_MISC

[tomcat-dev] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)

mailing-list

x_refsource_MLIST

[announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)

mailing-list

x_refsource_MLIST

[tomcat-users] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)

mailing-list

x_refsource_MLIST

[tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

mailing-list

x_refsource_MLIST

[tomcat-announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)

mailing-list

x_refsource_MLIST

[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484

mailing-list

x_refsource_MLIST

[debian-lts-announce] 20210316 [SECURITY] [DLA 2596-1] tomcat8 security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

[tomcat-users] 20210701 What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5

mailing-list

x_refsource_MLIST

[tomcat-users] 20210701 Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5

mailing-list

x_refsource_MLIST

[tomcat-users] 20210702 Re: What is "h2c"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5

mailing-list

x_refsource_MLIST

[tomcat-users] 20210702 Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5

mailing-list

x_refsource_MLIST

https://www.oracle.com//security-alerts/cpujul2021.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210409-0002/

x_refsource_CONFIRM

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujan2022.html

x_refsource_MISC

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.