3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43980

GHSA ID

GHSA-jx7c-7mj5-9438

EPSS Score

0.37829%

CWE

CWE-362

Published

9/29/2022

Updated

3/11/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43980

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43980

GHSA ID

GHSA-jx7c-7mj5-9438

EPSS Score

0.37829%

CWE

CWE-362

Published

9/29/2022

Updated

3/11/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 8.5.0, < 8.5.78	8.5.78
org.apache.tomcat:tomcat	maven	>= 9.0.0-M1, < 9.0.62	9.0.62
org.apache.tomcat:tomcat	maven	>= 10.0.0-M1, < 10.0.20	10.0.20
org.apache.tomcat:tomcat	maven	>= 10.1.0-M1, < 10.1.0-M14	10.1.0-M14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper synchronization around Http11Processor instance management. The commit diff shows critical changes: 1) Replacing getCurrentProcessor() with takeCurrentProcessor() (atomic get-and-clear), 2) Converting currentProcessor to AtomicReference. The original functions lacked atomic operations, allowing race conditions where multiple client connections could share a processor instance. The vulnerable functions directly handled processor association/dissociation without thread-safe mechanisms, leading to response mix-ups between clients.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** simpli*i** impl*m*nt*tion o* *lo*kin* r***s *n* writ*s intro*u*** in Tom**t ** *n* ***k-port** to Tom**t *.*.** onw*r*s *xpos** * lon* st*n*in* (*ut *xtr*m*ly **r* to tri***r) *on*urr*n*y *u* in *p**** Tom**t **.*.* to **.*.*-M**, **.*.*-M* to **

Reasoning

T** vuln*r**ility st*mm** *rom improp*r syn**roniz*tion *roun* `*ttp**Pro**ssor` inst*n** m*n***m*nt. T** *ommit *i** s*ows *riti**l ***n**s: *) R*pl**in* `**t*urr*ntPro**ssor()` wit* `t*k**urr*ntPro**ssor()` (*tomi* **t-*n*-*l**r), *) *onv*rtin* `*u

3.7

Basic Information

Concerned about an active attack path?

CVE-2021-43980: Apache Tomcat Race Condition vulnerability

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI