CVE-2021-25122

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 8.5.0 through 8.5.61 Apache Tomcat versions 9.0.0.M1 through 9.0.41 Apache Tomcat versions 10.0.0-M1 through 10.0.0

Description: The issue is related to the implementation of the HTTP/2 protocol in Apache Tomcat, which could lead to a lack of protection for service data. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another. This means that user A and user B could both see the results of user A's request, potentially affecting the confidentiality, integrity, and availability of protected information.

Recommendations: For Apache Tomcat versions 8.5.0 through 8.5.61, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.41, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.0.0-M1 through 10.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to sensitive data and limiting the amount of request body data that is processed by the server.