CVE-2021-25122 - Information Exposure vulnerability

Severity: Medium2021-04-13

Abstract

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

The tomcat-coyote package is vulnerable to Information Exposure. The process method in AbstractProtocol.class does not properly handle HTTP/2 Cleartext (h2c) connections between multiple clients, responding with the request headers and partial body of one connection to another. An attacker can exploit this to gain access to sensitive information meant for a different client.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback 1.4 and olderMediumOxygen Feedback 1.4.1

Mitigation

None

Detail

CVE-2021-25122

Severity: High

CVSS Score: 7.5

The Apache Tomcat 9.0.41 third-party library used by Oxygen Feedback software products is an affected version mentioned in CVE-2021-25122 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25122.