oss-sec mailing list archives
CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484
From: Mark Thomas <markt () apache org>
Date: Mon, 1 Mar 2021 11:15:46 +0000
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
Credit: This issue was identified by Trung Pham of Viettel Cyber Security. References: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
Current thread:
- CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484 Mark Thomas (Mar 01)