{"id":"CVE-2021-43980","details":"The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.","aliases":["BIT-tomcat-2021-43980","GHSA-jx7c-7mj5-9438"],"modified":"2026-04-16T04:37:17.010497644Z","published":"2022-09-28T14:15:09.880Z","related":["SUSE-SU-2022:4009-1","SUSE-SU-2022:4221-1","SUSE-SU-2022:4257-1","SUSE-SU-2026:1058-1","openSUSE-SU-2024:12534-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5265"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/09/28/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e37b977db6f47e4380ad67114a49e8568951c953"},{"last_affected":"3931695e564dd4dd1dbf029026e900b74992408c"},{"introduced":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"last_affected":"235730aed454e8d3619109f2c563587ff722e69d"},{"introduced":"4c8b650437e2464c1c31c6598a263b3805b7a81f"},{"last_affected":"70f59e8328621e58b9493c119f05a2e57f597a1c"},{"introduced":"0"},{"last_affected":"f2ab9ac8bc3f40ee9b2cb50b030c99df927f0429"},{"introduced":"0"},{"last_affected":"dc3639dd7123301ced18dbf4ddf2dca93704870d"},{"introduced":"0"},{"last_affected":"049799677ba307378a256621bb1a7b03f597571c"},{"introduced":"0"},{"last_affected":"d08498a3cefa7206bad791acf019455794f865ea"},{"introduced":"0"},{"last_affected":"0e59fedb28df646930c5aff945159b64d7a52260"},{"introduced":"0"},{"last_affected":"8778a44d6323c1066237043a89ab2f36696916b1"},{"introduced":"0"},{"last_affected":"e706972942e2c342e4a37baf5e2596f11e8a0e94"},{"introduced":"0"},{"last_affected":"2a10c8d9110d7b1c7f526f3352648c6b19ba2c52"},{"introduced":"0"},{"last_affected":"51d1031c36c0f2b3ee1e0d14b56228a559144153"},{"introduced":"0"},{"last_affected":"0f3f1e439a040068b741d77777766722e4420ad6"},{"introduced":"0"},{"last_affected":"cd53876fefaa370c31466b0f615e9ad026541a27"},{"introduced":"0"},{"last_affected":"02d546ba3c553c74ff1a99ecc166a6ff9c501ba8"},{"introduced":"0"},{"last_affected":"4c8b650437e2464c1c31c6598a263b3805b7a81f"},{"introduced":"0"},{"last_affected":"56e547d387ab49f688c93fe9ca082b1b5d94deed"}],"database_specific":{"versions":[{"introduced":"8.5.0"},{"last_affected":"8.5.77"},{"introduced":"9.0.0"},{"last_affected":"9.0.60"},{"introduced":"10.0.0"},{"last_affected":"10.0.18"},{"introduced":"0"},{"last_affected":"10.1.0-milestone1"},{"introduced":"0"},{"last_affected":"10.1.0-milestone10"},{"introduced":"0"},{"last_affected":"10.1.0-milestone11"},{"introduced":"0"},{"last_affected":"10.1.0-milestone12"},{"introduced":"0"},{"last_affected":"10.1.0-milestone2"},{"introduced":"0"},{"last_affected":"10.1.0-milestone3"},{"introduced":"0"},{"last_affected":"10.1.0-milestone4"},{"introduced":"0"},{"last_affected":"10.1.0-milestone5"},{"introduced":"0"},{"last_affected":"10.1.0-milestone6"},{"introduced":"0"},{"last_affected":"10.1.0-milestone7"},{"introduced":"0"},{"last_affected":"10.1.0-milestone8"},{"introduced":"0"},{"last_affected":"10.1.0-milestone9"},{"introduced":"0"},{"last_affected":"10.0"},{"introduced":"0"},{"last_affected":"11.0"}]}}],"versions":["10.0.0","10.0.18","10.1.0-M1","10.1.0-M10","10.1.0-M11","10.1.0-M12","10.1.0-M2","10.1.0-M3","10.1.0-M4","10.1.0-M5","10.1.0-M6","10.1.0-M7","10.1.0-M8","10.1.0-M9","11.0.0","8.5.77","9.0.60"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43980.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}