7

CVSS Score

Basic Information

CVE ID

CVE-2021-25329

GHSA ID

GHSA-jgwr-3qm3-26f3

EPSS Score

CWE

CWE-502

Published

3/19/2021

Updated

2/3/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-25329

CVE-2021-25329:
Potential remote code execution in Apache Tomcat

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

(GitHub Advisory)

7

CVSS Score

Basic Information

CVE ID

CVE-2021-25329

GHSA ID

GHSA-jgwr-3qm3-26f3

EPSS Score

CWE

CWE-502

Published

3/19/2021

Updated

2/3/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.0.0-M1, < 10.0.2	10.0.2
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0, < 9.0.41	9.0.41
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 8.0.0, < 8.5.61	8.5.61
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 7.0.0, < 7.0.107	7.0.108

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using string-based path comparisons (getCanonicalPath().startsWith()) rather than proper Path object comparisons. This could allow bypassing directory containment checks via symlinks, case variations, or filesystem-specific path representations. The commit 6d66e99 explicitly replaces these vulnerable string comparisons with java.nio.file.Path comparisons in multiple files, indicating these were the vulnerable functions. The files shown in the diff (DefaultServlet.java, FileStore.java, HostConfig.java etc.) all contained this pattern and were patched by switching to Path-based checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ix *or *V*-****-**** w*s in*ompl*t*. W**n usin* *p**** Tom**t **.*.*-M* to **.*.*, *.*.*.M* to *.*.**, *.*.* to *.*.** or *.*.*. to *.*.*** wit* * *on*i*ur*tion **** **s* t**t w*s *i**ly unlik*ly to ** us**, t** Tom**t inst*n** w*s still vuln*r*

Reasoning

T** vuln*r**ility st*mm** *rom usin* strin*-**s** p*t* *omp*risons (**t**noni**lP*t*().st*rtsWit*()) r*t**r t**n prop*r P*t* o*j**t *omp*risons. T*is *oul* *llow *yp*ssin* *ir**tory *ont*inm*nt ****ks vi* symlinks, **s* v*ri*tions, or *il*syst*m-sp**

7

Basic Information

Concerned about an active attack path?

CVE-2021-25329: Potential remote code execution in Apache Tomcat

7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-25329:
Potential remote code execution in Apache Tomcat

Vulnerability Intelligence
Miggo AI