Homepage
About Snyk

Remote Code Execution (RCE) Affecting org.apache.tomcat:tomcat-catalina package, versions [10.0.0-M1, 10.0.2) [9.0.0.M1, 9.0.43) [8.5.0, 8.5.63) [7.0.0, 7.0.108)

0.0
high

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.05% (13th percentile)
Expand this section
NVD
7 high
Expand this section
SUSE
7 high
Expand this section
Red Hat
7 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHETOMCAT-1080636
  • published 1 Mar 2021
  • disclosed 1 Mar 2021
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 1 Mar 2021

CVE-2021-25329 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.2, 9.0.43, 8.5.63, 7.0.108 or higher.

Overview

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.