Detections
Analytics
Apache Tomcat 10.1.0-M1 < 10.1.0-M14 Information Disclosure
low Web App Scanning Plugin ID 113375
Language:
Synopsis
Apache Tomcat 10.1.0-M1 < 10.1.0-M14 Information DisclosureDescription
The version of Apache Tomcat installed on the remote host is 8.5.x to 8.5.77, 9.0.0-M1 to 9.0.60, 10.0.0-M1 to 10.0.18 or 10.1.0-M1 to 10.1.0-M12. It is, therefore, affected by a information disclosure vulnerability. The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache Tomcat version 10.1.0.M14 or later.See Also
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.0-M14
Plugin Details
Severity: Low
ID: 113375
Type: remote
Family: Component Vulnerability
Published: 10/4/2022
Updated: 3/14/2023
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Low
Base Score: 2.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2021-43980
CVSS v3
Risk Factor: Low
Base Score: 3.7
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: CVE-2021-43980
Vulnerability Information
CPE: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Exploit Ease: No known exploits are available
Patch Publication Date: 9/28/2022
Vulnerability Publication Date: 9/28/2022
Reference Information
CVE: CVE-2021-43980
CWE: 362
OWASP: 2013-A9, 2017-A9, 2021-A6
DISA STIG: APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-16
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1