CVE-2021-25329 - Remote Code Execution (RCE)

Severity: Medium2021-04-13

Abstract

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494.

The tomcat-catalina package is vulnerable to Remote Code Execution (RCE). The file() method in the FileStore class fails to sufficiently enforce the current FileStore directory when creating a File object, allowing Tomcat instances with certain configurations to deserialize objects from files outside of the file store. An attacker with knowledge of the FileStore location and control of the file passed into the FileStore object as input may submit a maliciously crafted request to trigger arbitrary code execution on affected Tomcat servers.

The Oxygen Feedback product incorporates the Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback 1.4 and olderMediumOxygen Feedback 1.4.1

Mitigation

None

Detail

CVE-2021-25329

Severity: High

CVSS Score: 7.0

The Apache Tomcat 9.0.41 third-party library used by Oxygen XML software products is an affected version mentioned in CVE-2021-25329 vulnerability description.

Starting with Oxygen Feedback 1.4.1, the Apache Tomcat was updated to version 9.0.44, which includes a fix for CVE-2021-25329.