3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43980

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-43980

CVE-2021-43980:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 8.5.0, < 8.5.78	8.5.78
org.apache.tomcat:tomcat	maven	>= 9.0.0-M1, < 9.0.62	9.0.62
org.apache.tomcat:tomcat	maven	>= 10.0.0-M1, < 10.0.20	10.0.20
org.apache.tomcat:tomcat	maven	>= 10.1.0-M1, < 10.1.0-M14	10.1.0-M14

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper synchronization around Http11Processor instance management. The commit diff shows critical changes: 1) Replacing getCurrentProcessor() with takeCurrentProcessor() (atomic get-and-clear), 2) Converting currentProcessor to AtomicReference. The original functions lacked atomic operations, allowing race conditions where multiple client connections could share a processor instance. The vulnerable functions directly handled processor association/dissociation without thread-safe mechanisms, leading to response mix-ups between clients.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

CVE-2021-43980:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

Basic Information

Basic Information

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

3.7

3.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

CVE-2021-43980:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

3.7

3.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI