Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2021-25329

Disclosure Date: March 01, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.0 High
Impact Score:
5.9
Exploitability Score:
1
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
High
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • apache,
  • debian,
  • oracle

Products

  • agile plm 9.3.3,
  • agile plm 9.3.6,
  • communications cloud native core policy 1.14.0,
  • communications cloud native core security edge protection proxy 1.6.0,
  • communications instant messaging server 10.0.1.5.0,
  • database 12.2.0.1,
  • database 19c,
  • database 21c,
  • debian linux 10.0,
  • debian linux 9.0,
  • graph server and client,
  • instantis enterprisetrack 17.1,
  • instantis enterprisetrack 17.2,
  • instantis enterprisetrack 17.3,
  • managed file transfer 12.2.1.3.0,
  • managed file transfer 12.2.1.4.0,
  • mysql enterprise monitor,
  • siebel ui framework,
  • siebel ui framework 21.9,
  • tomcat,
  • tomcat 10.0.0,
  • tomcat 9.0.0

References

Advisory

Additional Info

Technical Analysis