{"id":"GHSA-59g9-7gfx-c72p","summary":"Infinite loop in Tomcat due to parsing error","details":"Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.","aliases":["BIT-tomcat-2021-41079","CVE-2021-41079"],"modified":"2024-02-22T05:31:54.896036Z","published":"2021-09-20T20:45:44Z","database_specific":{"severity":"HIGH","nvd_published_at":"2021-09-16T15:15:00Z","github_reviewed":true,"github_reviewed_at":"2021-09-17T18:01:45Z","cwe_ids":["CWE-20","CWE-835"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41079"},{"type":"WEB","url":"https://github.com/apache/tomcat/commit/34115fb3c83f6cd97772232316a492a4cc5729e0"},{"type":"PACKAGE","url":"https://github.com/apache/tomcat"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r6b6b674e3f168dd010e67dbe6848b866e2acf26371452fdae313b98a@%3Cusers.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb4de81ac647043541a32881099aa6eb5a23f1b7fd116f713f8ab9dbe@%3Cdev.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2021/09/msg00012.html"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20211008-0005"},{"type":"WEB","url":"https://www.debian.org/security/2021/dsa-4986"}],"affected":[{"package":{"name":"org.apache.tomcat:tomcat","ecosystem":"Maven","purl":"pkg:maven/org.apache.tomcat/tomcat"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10.0.0"},{"fixed":"10.0.4"}]}],"versions":["10.0.0","10.0.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-59g9-7gfx-c72p/GHSA-59g9-7gfx-c72p.json"}},{"package":{"name":"org.apache.tomcat:tomcat","ecosystem":"Maven","purl":"pkg:maven/org.apache.tomcat/tomcat"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9.0.0"},{"fixed":"9.0.44"}]}],"versions":["9.0.1","9.0.10","9.0.11","9.0.12","9.0.13","9.0.14","9.0.16","9.0.17","9.0.19","9.0.2","9.0.20","9.0.21","9.0.22","9.0.24","9.0.26","9.0.27","9.0.29","9.0.30","9.0.31","9.0.33","9.0.34","9.0.35","9.0.36","9.0.37","9.0.38","9.0.39","9.0.4","9.0.40","9.0.41","9.0.43","9.0.5","9.0.6","9.0.7","9.0.8"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-59g9-7gfx-c72p/GHSA-59g9-7gfx-c72p.json"}},{"package":{"name":"org.apache.tomcat:tomcat","ecosystem":"Maven","purl":"pkg:maven/org.apache.tomcat/tomcat"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"8.5.0"},{"fixed":"8.5.64"}]}],"versions":["8.5.0","8.5.11","8.5.12","8.5.13","8.5.14","8.5.15","8.5.16","8.5.19","8.5.2","8.5.20","8.5.21","8.5.23","8.5.24","8.5.27","8.5.28","8.5.29","8.5.3","8.5.30","8.5.31","8.5.32","8.5.33","8.5.34","8.5.35","8.5.37","8.5.38","8.5.39","8.5.4","8.5.40","8.5.41","8.5.42","8.5.43","8.5.45","8.5.46","8.5.47","8.5.49","8.5.5","8.5.50","8.5.51","8.5.53","8.5.54","8.5.55","8.5.56","8.5.57","8.5.58","8.5.59","8.5.6","8.5.60","8.5.61","8.5.63","8.5.8","8.5.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-59g9-7gfx-c72p/GHSA-59g9-7gfx-c72p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}