Action not permitted
Modal body text goes here.
Modal Title
Modal Body
usn-5360-1
Vulnerability from osv_ubuntu
It was discovered that Tomcat incorrectly performed input verification. A remote attacker could possibly use this issue to intercept sensitive information. (CVE-2020-13943, CVE-2020-17527, CVE-2021-25122, CVE-2021-30640)
It was discovered that Tomcat did not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-9484, CVE-2021-33037)
It was discovered that Tomcat did not properly validate the input length. An attacker could possibly use this to trigger an infinite loop, resulting in a denial of service. (CVE-2021-25329, CVE-2021-41079)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2020-9484",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2020-17527",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-25122",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-25329",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-30640",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-33037",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-41079",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2020-17527",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-25122",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-25329",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-30640",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-33037",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2021-41079",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "It was discovered that Tomcat incorrectly performed input verification.\nA remote attacker could possibly use this issue to intercept sensitive\ninformation. (CVE-2020-13943, CVE-2020-17527, CVE-2021-25122, CVE-2021-30640)\n\nIt was discovered that Tomcat did not properly deserialize untrusted data.\nAn attacker could possibly use this issue to execute arbitrary code.\n(CVE-2020-9484, CVE-2021-33037)\n\nIt was discovered that Tomcat did not properly validate the input length. An\nattacker could possibly use this to trigger an infinite loop, resulting in a\ndenial of service. (CVE-2021-25329, CVE-2021-41079)\n",
"id": "USN-5360-1",
"modified": "2026-04-27T14:11:28Z",
"published": "2022-03-31T18:51:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-9484"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-13943"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-17527"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-25122"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-25329"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-30640"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-33037"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-41079"
},
{
"type": "REPORT",
"url": "https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "tomcat9 vulnerabilities",
"upstream": [
"UBUNTU-CVE-2020-9484",
"UBUNTU-CVE-2020-13943",
"UBUNTU-CVE-2020-17527",
"UBUNTU-CVE-2021-25122",
"UBUNTU-CVE-2021-25329",
"UBUNTU-CVE-2021-30640",
"UBUNTU-CVE-2021-33037",
"UBUNTU-CVE-2021-41079"
]
}
ubuntu-cve-2020-17527
Vulnerability from osv_ubuntu
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
| URL | Type | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm5?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1",
"8.5.39-1ubuntu1~18.04.3+esm2",
"8.5.39-1ubuntu1~18.04.3+esm3",
"8.5.39-1ubuntu1~18.04.3+esm4",
"8.5.39-1ubuntu1~18.04.3+esm5"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.",
"id": "UBUNTU-CVE-2020-17527",
"modified": "2025-09-08T16:46:16Z",
"published": "2020-12-03T19:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-17527"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29"
},
{
"type": "REPORT",
"url": "http://www.openwall.com/lists/oss-security/2020/12/03/3"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-17527"
}
],
"related": [
"USN-5360-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2020-17527"
]
}
ubuntu-cve-2020-9484
Vulnerability from osv_ubuntu
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
| URL | Type | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.52-1ubuntu0.16+esm1?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.52-1ubuntu0.16+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.42-1",
"7.0.47-1",
"7.0.50-1",
"7.0.52-1",
"7.0.52-1ubuntu0.1",
"7.0.52-1ubuntu0.3",
"7.0.52-1ubuntu0.6",
"7.0.52-1ubuntu0.7",
"7.0.52-1ubuntu0.8",
"7.0.52-1ubuntu0.9",
"7.0.52-1ubuntu0.10",
"7.0.52-1ubuntu0.11",
"7.0.52-1ubuntu0.13",
"7.0.52-1ubuntu0.14",
"7.0.52-1ubuntu0.15",
"7.0.52-1ubuntu0.16"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libservlet3.1-java",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "tomcat8",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.0.32-1ubuntu1.13"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.0.32-1ubuntu1.13"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.0.32-1ubuntu1.13?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.32-1ubuntu1.13"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.26-1",
"8.0.28-1",
"8.0.30-1",
"8.0.32-1",
"8.0.32-1ubuntu1",
"8.0.32-1ubuntu1.1",
"8.0.32-1ubuntu1.2",
"8.0.32-1ubuntu1.3",
"8.0.32-1ubuntu1.4",
"8.0.32-1ubuntu1.5",
"8.0.32-1ubuntu1.6",
"8.0.32-1ubuntu1.7",
"8.0.32-1ubuntu1.8",
"8.0.32-1ubuntu1.9",
"8.0.32-1ubuntu1.10",
"8.0.32-1ubuntu1.11"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.68-1ubuntu0.4+esm2?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.68-1ubuntu0.4+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.64-1",
"7.0.68-1",
"7.0.68-1ubuntu0.1",
"7.0.68-1ubuntu0.3",
"7.0.68-1ubuntu0.4",
"7.0.68-1ubuntu0.4+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.78-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.78-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.78-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.78-1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.39-1ubuntu1~18.04.3+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.1"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1"
]
}
],
"aliases": [],
"details": "When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.",
"id": "UBUNTU-CVE-2020-9484",
"modified": "2025-09-08T16:46:00Z",
"published": "2020-05-20T19:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-9484"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4448-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4596-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6908-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6943-1"
}
],
"related": [
"USN-4448-1",
"USN-4596-1",
"USN-5360-1",
"USN-6908-1",
"USN-6943-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2020-9484"
]
}
ubuntu-cve-2020-9494
Vulnerability from osv_ubuntu
Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "trafficserver",
"binary_version": "5.3.0-2ubuntu2"
},
{
"binary_name": "trafficserver-experimental-plugins",
"binary_version": "5.3.0-2ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "trafficserver",
"purl": "pkg:deb/ubuntu/trafficserver@5.3.0-2ubuntu2?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.3.0-2ubuntu1",
"5.3.0-2ubuntu2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "trafficserver",
"binary_version": "7.1.2+ds-3"
},
{
"binary_name": "trafficserver-experimental-plugins",
"binary_version": "7.1.2+ds-3"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "trafficserver",
"purl": "pkg:deb/ubuntu/trafficserver@7.1.2+ds-3?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.0-5",
"7.1.2+ds-2",
"7.1.2+ds-2build1",
"7.1.2+ds-3"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "trafficserver",
"binary_version": "8.0.5+ds-3ubuntu0.1~esm1"
},
{
"binary_name": "trafficserver-experimental-plugins",
"binary_version": "8.0.5+ds-3ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "trafficserver",
"purl": "pkg:deb/ubuntu/trafficserver@8.0.5+ds-3ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.5+ds-1",
"8.0.5+ds-2",
"8.0.5+ds-2build1",
"8.0.5+ds-2ubuntu1",
"8.0.5+ds-3",
"8.0.5+ds-3ubuntu0.1~esm1"
]
}
],
"aliases": [],
"details": "Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the thread.",
"id": "UBUNTU-CVE-2020-9494",
"modified": "2026-04-22T07:39:20Z",
"published": "2020-06-24T16:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2020-9494"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rf7f86917f42fdaf904d99560cba0c016e03baea6244c47efeb60ecbe%40%3Cdev.trafficserver.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9494"
}
],
"related": [
"USN-5360-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2020-9494"
]
}
ubuntu-cve-2021-25122
Vulnerability from osv_ubuntu
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
| URL | Type | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.39-1ubuntu1~18.04.3+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A\u0027s request.",
"id": "UBUNTU-CVE-2021-25122",
"modified": "2025-07-18T16:46:40Z",
"published": "2021-03-01T12:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-25122"
},
{
"type": "REPORT",
"url": "https://www.openwall.com/lists/oss-security/2021/03/01/1"
},
{
"type": "REPORT",
"url": "http://www.openwall.com/lists/oss-security/2021/03/01/1"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25122"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6943-1"
}
],
"related": [
"USN-5360-1",
"USN-6943-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2021-25122"
]
}
ubuntu-cve-2021-25329
Vulnerability from osv_ubuntu
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
| URL | Type | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.52-1ubuntu0.16+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.52-1ubuntu0.16+esm1?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.52-1ubuntu0.16+esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.42-1",
"7.0.47-1",
"7.0.50-1",
"7.0.52-1",
"7.0.52-1ubuntu0.1",
"7.0.52-1ubuntu0.3",
"7.0.52-1ubuntu0.6",
"7.0.52-1ubuntu0.7",
"7.0.52-1ubuntu0.8",
"7.0.52-1ubuntu0.9",
"7.0.52-1ubuntu0.10",
"7.0.52-1ubuntu0.11",
"7.0.52-1ubuntu0.13",
"7.0.52-1ubuntu0.14",
"7.0.52-1ubuntu0.15",
"7.0.52-1ubuntu0.16"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet2.4-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "libservlet2.5-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "libtomcat6-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-admin",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-common",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-docs",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-examples",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-extras",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-user",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat6",
"purl": "pkg:deb/ubuntu/tomcat6@6.0.39-1ubuntu0.1+esm3?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.37-1",
"6.0.39-1",
"6.0.39-1ubuntu0.1",
"6.0.39-1ubuntu0.1+esm1",
"6.0.39-1ubuntu0.1+esm2",
"6.0.39-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.68-1ubuntu0.4+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.68-1ubuntu0.4+esm2?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.68-1ubuntu0.4+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.64-1",
"7.0.68-1",
"7.0.68-1ubuntu0.1",
"7.0.68-1ubuntu0.3",
"7.0.68-1ubuntu0.4",
"7.0.68-1ubuntu0.4+esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.1-java",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.0.32-1ubuntu1.13+esm1?arch=source\u0026distro=esm-infra/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.26-1",
"8.0.28-1",
"8.0.30-1",
"8.0.32-1",
"8.0.32-1ubuntu1",
"8.0.32-1ubuntu1.1",
"8.0.32-1ubuntu1.2",
"8.0.32-1ubuntu1.3",
"8.0.32-1ubuntu1.4",
"8.0.32-1ubuntu1.5",
"8.0.32-1ubuntu1.6",
"8.0.32-1ubuntu1.7",
"8.0.32-1ubuntu1.8",
"8.0.32-1ubuntu1.9",
"8.0.32-1ubuntu1.10",
"8.0.32-1ubuntu1.11",
"8.0.32-1ubuntu1.13",
"8.0.32-1ubuntu1.13+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.78-1ubuntu0.1~esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.78-1ubuntu0.1~esm1?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.78-1ubuntu0.1~esm1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.78-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm5?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1",
"8.5.39-1ubuntu1~18.04.3+esm2",
"8.5.39-1ubuntu1~18.04.3+esm3",
"8.5.39-1ubuntu1~18.04.3+esm4",
"8.5.39-1ubuntu1~18.04.3+esm5"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.",
"id": "UBUNTU-CVE-2021-25329",
"modified": "2026-06-04T10:38:31Z",
"published": "2021-03-01T12:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-25329"
},
{
"type": "REPORT",
"url": "https://www.openwall.com/lists/oss-security/2021/03/01/2"
},
{
"type": "REPORT",
"url": "http://www.openwall.com/lists/oss-security/2021/03/01/2"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25329"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6908-1"
}
],
"related": [
"USN-5360-1",
"USN-6908-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2021-25329"
]
}
ubuntu-cve-2021-30640
Vulnerability from osv_ubuntu
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet2.4-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "libservlet2.5-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "libtomcat6-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-admin",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-common",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-docs",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-examples",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-extras",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-user",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat6",
"purl": "pkg:deb/ubuntu/tomcat6@6.0.39-1ubuntu0.1+esm3?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.37-1",
"6.0.39-1",
"6.0.39-1ubuntu0.1",
"6.0.39-1ubuntu0.1+esm1",
"6.0.39-1ubuntu0.1+esm2",
"6.0.39-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.52-1ubuntu0.16+esm2?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.42-1",
"7.0.47-1",
"7.0.50-1",
"7.0.52-1",
"7.0.52-1ubuntu0.1",
"7.0.52-1ubuntu0.3",
"7.0.52-1ubuntu0.6",
"7.0.52-1ubuntu0.7",
"7.0.52-1ubuntu0.8",
"7.0.52-1ubuntu0.9",
"7.0.52-1ubuntu0.10",
"7.0.52-1ubuntu0.11",
"7.0.52-1ubuntu0.13",
"7.0.52-1ubuntu0.14",
"7.0.52-1ubuntu0.15",
"7.0.52-1ubuntu0.16",
"7.0.52-1ubuntu0.16+esm1",
"7.0.52-1ubuntu0.16+esm2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.1-java",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.0.32-1ubuntu1.13+esm1?arch=source\u0026distro=esm-infra/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.26-1",
"8.0.28-1",
"8.0.30-1",
"8.0.32-1",
"8.0.32-1ubuntu1",
"8.0.32-1ubuntu1.1",
"8.0.32-1ubuntu1.2",
"8.0.32-1ubuntu1.3",
"8.0.32-1ubuntu1.4",
"8.0.32-1ubuntu1.5",
"8.0.32-1ubuntu1.6",
"8.0.32-1ubuntu1.7",
"8.0.32-1ubuntu1.8",
"8.0.32-1ubuntu1.9",
"8.0.32-1ubuntu1.10",
"8.0.32-1ubuntu1.11",
"8.0.32-1ubuntu1.13",
"8.0.32-1ubuntu1.13+esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.68-1ubuntu0.4+esm4?arch=source\u0026distro=esm-apps-legacy/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.64-1",
"7.0.68-1",
"7.0.68-1ubuntu0.1",
"7.0.68-1ubuntu0.3",
"7.0.68-1ubuntu0.4",
"7.0.68-1ubuntu0.4+esm1",
"7.0.68-1ubuntu0.4+esm2",
"7.0.68-1ubuntu0.4+esm3",
"7.0.68-1ubuntu0.4+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm5?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1",
"8.5.39-1ubuntu1~18.04.3+esm2",
"8.5.39-1ubuntu1~18.04.3+esm3",
"8.5.39-1ubuntu1~18.04.3+esm4",
"8.5.39-1ubuntu1~18.04.3+esm5"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.",
"id": "UBUNTU-CVE-2021-30640",
"modified": "2026-06-04T10:38:36Z",
"published": "2021-07-12T15:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-30640"
},
{
"type": "REPORT",
"url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=65224"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/24dfb30076997b640e5123e92c4b8d7f206f609c"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/0a272b00aed57526dbfc8b881ab253c23c61f100"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/79580e7f70a07c083be07307376511bb864d5a7b"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/d3407672774e372fae8b5898d55f85d16f22b972"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/6a9129ac9bd06555ce04bb564a76fc3987311f38"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/ad22db641dcd61c2e8078f658fa709897b5da375"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30640"
}
],
"related": [
"USN-5360-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2021-30640"
]
}
ubuntu-cve-2021-33037
Vulnerability from osv_ubuntu
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
| URL | Type | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet2.4-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "libservlet2.5-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "libtomcat6-java",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-admin",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-common",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-docs",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-examples",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-extras",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
},
{
"binary_name": "tomcat6-user",
"binary_version": "6.0.39-1ubuntu0.1+esm3"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat6",
"purl": "pkg:deb/ubuntu/tomcat6@6.0.39-1ubuntu0.1+esm3?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.37-1",
"6.0.39-1",
"6.0.39-1ubuntu0.1",
"6.0.39-1ubuntu0.1+esm1",
"6.0.39-1ubuntu0.1+esm2",
"6.0.39-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.52-1ubuntu0.16+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.52-1ubuntu0.16+esm2?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.42-1",
"7.0.47-1",
"7.0.50-1",
"7.0.52-1",
"7.0.52-1ubuntu0.1",
"7.0.52-1ubuntu0.3",
"7.0.52-1ubuntu0.6",
"7.0.52-1ubuntu0.7",
"7.0.52-1ubuntu0.8",
"7.0.52-1ubuntu0.9",
"7.0.52-1ubuntu0.10",
"7.0.52-1ubuntu0.11",
"7.0.52-1ubuntu0.13",
"7.0.52-1ubuntu0.14",
"7.0.52-1ubuntu0.15",
"7.0.52-1ubuntu0.16",
"7.0.52-1ubuntu0.16+esm1",
"7.0.52-1ubuntu0.16+esm2"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.1-java",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.0.32-1ubuntu1.13+esm1"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.0.32-1ubuntu1.13+esm1?arch=source\u0026distro=esm-infra/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.26-1",
"8.0.28-1",
"8.0.30-1",
"8.0.32-1",
"8.0.32-1ubuntu1",
"8.0.32-1ubuntu1.1",
"8.0.32-1ubuntu1.2",
"8.0.32-1ubuntu1.3",
"8.0.32-1ubuntu1.4",
"8.0.32-1ubuntu1.5",
"8.0.32-1ubuntu1.6",
"8.0.32-1ubuntu1.7",
"8.0.32-1ubuntu1.8",
"8.0.32-1ubuntu1.9",
"8.0.32-1ubuntu1.10",
"8.0.32-1ubuntu1.11",
"8.0.32-1ubuntu1.13",
"8.0.32-1ubuntu1.13+esm1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libservlet3.0-java",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "libtomcat7-java",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-admin",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-common",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-docs",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-examples",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
},
{
"binary_name": "tomcat7-user",
"binary_version": "7.0.68-1ubuntu0.4+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "tomcat7",
"purl": "pkg:deb/ubuntu/tomcat7@7.0.68-1ubuntu0.4+esm4?arch=source\u0026distro=esm-apps-legacy/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.0.64-1",
"7.0.68-1",
"7.0.68-1ubuntu0.1",
"7.0.68-1ubuntu0.3",
"7.0.68-1ubuntu0.4",
"7.0.68-1ubuntu0.4+esm1",
"7.0.68-1ubuntu0.4+esm2",
"7.0.68-1ubuntu0.4+esm3",
"7.0.68-1ubuntu0.4+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm5?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1",
"8.5.39-1ubuntu1~18.04.3+esm2",
"8.5.39-1ubuntu1~18.04.3+esm3",
"8.5.39-1ubuntu1~18.04.3+esm4",
"8.5.39-1ubuntu1~18.04.3+esm5"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.",
"id": "UBUNTU-CVE-2021-33037",
"modified": "2026-06-04T10:38:38Z",
"published": "2021-07-12T15:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-33037"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33037"
}
],
"related": [
"USN-5360-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2021-33037"
]
}
ubuntu-cve-2021-41079
Vulnerability from osv_ubuntu
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
| URL | Type | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.16-3ubuntu0.18.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.16-3ubuntu0.18.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.16-3~18.04.1",
"9.0.16-3ubuntu0.18.04.1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "libtomcat8-embed-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "libtomcat8-java",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-admin",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-common",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-docs",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-examples",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
},
{
"binary_name": "tomcat8-user",
"binary_version": "8.5.39-1ubuntu1~18.04.3+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "tomcat8",
"purl": "pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.39-1ubuntu1~18.04.3+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.21-1ubuntu1",
"8.5.29-1",
"8.5.30-1",
"8.5.30-1ubuntu1",
"8.5.30-1ubuntu1.2",
"8.5.30-1ubuntu1.3",
"8.5.30-1ubuntu1.4",
"8.5.39-1ubuntu1~18.04.1",
"8.5.39-1ubuntu1~18.04.2",
"8.5.39-1ubuntu1~18.04.3",
"8.5.39-1ubuntu1~18.04.3+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libtomcat9-embed-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "libtomcat9-java",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-admin",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-common",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-docs",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-examples",
"binary_version": "9.0.31-1ubuntu0.2"
},
{
"binary_name": "tomcat9-user",
"binary_version": "9.0.31-1ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "tomcat9",
"purl": "pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.2?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.31-1ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.24-1",
"9.0.27-1",
"9.0.31-1",
"9.0.31-1ubuntu0.1"
]
}
],
"aliases": [],
"details": "Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.",
"id": "UBUNTU-CVE-2021-41079",
"modified": "2025-07-18T16:47:00Z",
"published": "2021-09-16T15:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2021-41079"
},
{
"type": "REPORT",
"url": "https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/d4b340fa8feaf55831f9a59350578f7b6ca048b8"
},
{
"type": "REPORT",
"url": "https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5360-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41079"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6943-1"
}
],
"related": [
"USN-5360-1",
"USN-6943-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2021-41079"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.