GHSA-jgwr-3qm3-26f3

Source

https://github.com/advisories/GHSA-jgwr-3qm3-26f3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jgwr-3qm3-26f3

Aliases

Related

CGA-457j-5q26-g4hx

Published

2021-03-19T20:11:13Z

Modified

2024-03-08T05:18:06.945365Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Potential remote code execution in Apache Tomcat

Details

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

References

Affected packages

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0-M1

Fixed

10.0.2

Affected versions

10.*

10.0.0-M1

10.0.0-M3

10.0.0-M4

10.0.0-M5

10.0.0-M6

10.0.0-M7

10.0.0-M8

10.0.0-M9

10.0.0-M10

10.0.0

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.0.41

Affected versions

9.*

9.0.1

9.0.2

9.0.4

9.0.5

9.0.6

9.0.7

9.0.8

9.0.10

9.0.11

9.0.12

9.0.13

9.0.14

9.0.16

9.0.17

9.0.19

9.0.20

9.0.21

9.0.22

9.0.24

9.0.26

9.0.27

9.0.29

9.0.30

9.0.31

9.0.33

9.0.34

9.0.35

9.0.36

9.0.37

9.0.38

9.0.39

9.0.40

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.5.61

Affected versions

8.*

8.0.1

8.0.3

8.0.5

8.0.8

8.0.9

8.0.11

8.0.12

8.0.14

8.0.15

8.0.17

8.0.18

8.0.20

8.0.21

8.0.22

8.0.23

8.0.24

8.0.26

8.0.27

8.0.28

8.0.29

8.0.30

8.0.32

8.0.33

8.0.35

8.0.36

8.0.37

8.0.38

8.0.39

8.0.41

8.0.42

8.0.43

8.0.44

8.0.45

8.0.46

8.0.47

8.0.48

8.0.49

8.0.50

8.0.51

8.0.52

8.0.53

8.5.0

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.8

8.5.9

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.19

8.5.20

8.5.21

8.5.23

8.5.24

8.5.27

8.5.28

8.5.29

8.5.30

8.5.31

8.5.32

8.5.33

8.5.34

8.5.35

8.5.37

8.5.38

8.5.39

8.5.40

8.5.41

8.5.42

8.5.43

8.5.45

8.5.46

8.5.47

8.5.49

8.5.50

8.5.51

8.5.53

8.5.54

8.5.55

8.5.56

8.5.57

8.5.58

8.5.59

8.5.60

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.108

Affected versions

7.*

7.0.0

7.0.2

7.0.4

7.0.5

7.0.6

7.0.8

7.0.11

7.0.12

7.0.14

7.0.16

7.0.19

7.0.20

7.0.21

7.0.22

7.0.23

7.0.25

7.0.26

7.0.27

7.0.28

7.0.29

7.0.30

7.0.32

7.0.33

7.0.34

7.0.35

7.0.37

7.0.39

7.0.40

7.0.41

7.0.42

7.0.47

7.0.50

7.0.52

7.0.53

7.0.54

7.0.55

7.0.56

7.0.57

7.0.59

7.0.61

7.0.62

7.0.63

7.0.64

7.0.65

7.0.67

7.0.68

7.0.69

7.0.70

7.0.72

7.0.73

7.0.75

7.0.76

7.0.77

7.0.78

7.0.79

7.0.81

7.0.82

7.0.84

7.0.85

7.0.86

7.0.88

7.0.90

7.0.91

7.0.92

7.0.93

7.0.94

7.0.96

7.0.99

7.0.100

7.0.103

7.0.104

7.0.105

7.0.106

7.0.107

Database specific

{
    "last_known_affected_version_range": "< 7.0.107"
}