When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and through 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
HIGH Vulnerable Package issue exists @ org.apache.tomcat:tomcat-coyote in branch refs/heads/master
jbrotsos
commented
2 years ago
Description
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and through 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
HIGH Vulnerable Package issue exists @ org.apache.tomcat:tomcat-coyote in branch refs/heads/master
Vulnerability ID: CVE-2021-25122
Package Name: org.apache.tomcat:tomcat-coyote
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2021-03-01T12:15:00
Current Package Version: 9.0.22
Remediation Upgrade Recommendation: 9.0.43
Link To SCA
Reference – NVD link