VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-fmff-4pym-u7fs

Essentials
Severities (47)
References (36)
Severity details (34)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fmff-4pym-u7fs
Aliases	CVE-2021-43980 GHSA-jx7c-7mj5-9438
Summary	Apache Tomcat Race Condition vulnerability The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	3.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43980.json
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
epss	0.00162	https://api.first.org/data/v1/epss?cve=CVE-2021-43980
apache_tomcat	High	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43980
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-jx7c-7mj5-9438
cvssv3.1	3.7	https://github.com/apache/tomcat
generic_textual	LOW	https://github.com/apache/tomcat
cvssv3.1	3.7	https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1
generic_textual	LOW	https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1
cvssv3.1	3.7	https://github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13
generic_textual	LOW	https://github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13
cvssv3.1	3.7	https://github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119beb
generic_textual	LOW	https://github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119beb
cvssv3.1	3.7	https://github.com/apache/tomcat/commit/9651b83a1d04583791525e5f0c4c9089f678d9fc
generic_textual	LOW	https://github.com/apache/tomcat/commit/9651b83a1d04583791525e5f0c4c9089f678d9fc
cvssv3.1	3.7	https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
generic_textual	LOW	https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
ssvc	Track	https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
cvssv3.1	3.7	https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
generic_textual	LOW	https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
cvssv3.1	3.7	https://nvd.nist.gov/vuln/detail/CVE-2021-43980
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2021-43980
cvssv3.1	3.7	https://tomcat.apache.org/security-10.html
generic_textual	LOW	https://tomcat.apache.org/security-10.html
cvssv3.1	3.7	https://tomcat.apache.org/security-8.html
generic_textual	LOW	https://tomcat.apache.org/security-8.html
cvssv3.1	3.7	https://tomcat.apache.org/security-9.html
generic_textual	LOW	https://tomcat.apache.org/security-9.html
cvssv3.1	3.7	https://www.debian.org/security/2022/dsa-5265
generic_textual	LOW	https://www.debian.org/security/2022/dsa-5265
ssvc	Track	https://www.debian.org/security/2022/dsa-5265
cvssv3.1	3.7	http://www.openwall.com/lists/oss-security/2022/09/28/1
generic_textual	LOW	http://www.openwall.com/lists/oss-security/2022/09/28/1
ssvc	Track	http://www.openwall.com/lists/oss-security/2022/09/28/1

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43980.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-43980
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1
		https://github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13
		https://github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119beb
		https://github.com/apache/tomcat/commit/9651b83a1d04583791525e5f0c4c9089f678d9fc
		https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
		https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
		https://nvd.nist.gov/vuln/detail/CVE-2021-43980
		https://tomcat.apache.org/security-10.html
		https://tomcat.apache.org/security-8.html
		https://tomcat.apache.org/security-9.html
		https://www.debian.org/security/2022/dsa-5265
		http://www.openwall.com/lists/oss-security/2022/09/28/1
2130599		https://bugzilla.redhat.com/show_bug.cgi?id=2130599
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
cpe:2.3:o:debian:debian_linux:10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
CVE-2021-43980		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43980
GHSA-jx7c-7mj5-9438		https://github.com/advisories/GHSA-jx7c-7mj5-9438
RHSA-2022:7272		https://access.redhat.com/errata/RHSA-2022:7272
RHSA-2022:7273		https://access.redhat.com/errata/RHSA-2022:7273

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43980.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119beb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat/commit/9651b83a1d04583791525e5f0c4c9089f678d9fc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T14:59:33Z/ Found at https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T14:59:33Z/ Found at https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-43980

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-10.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-8.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://tomcat.apache.org/security-9.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://www.debian.org/security/2022/dsa-5265

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T14:59:33Z/ Found at https://www.debian.org/security/2022/dsa-5265

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2022/09/28/1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T14:59:33Z/ Found at http://www.openwall.com/lists/oss-security/2022/09/28/1

Exploit Prediction Scoring System (EPSS)

Percentile	0.37921
EPSS Score	0.00162
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:23:27.652969+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-jx7c-7mj5-9438/GHSA-jx7c-7mj5-9438.json	36.1.3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-43980.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-43980
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1
		https://github.com/apache/tomcat/commit/17f177eeb7df5938f67ef9ea580411b120195f13
		https://github.com/apache/tomcat/commit/4a00b0c0890538b9d3107eef8f2e0afadd119beb
		https://github.com/apache/tomcat/commit/9651b83a1d04583791525e5f0c4c9089f678d9fc
		https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
		https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html
		https://nvd.nist.gov/vuln/detail/CVE-2021-43980
		https://tomcat.apache.org/security-10.html
		https://tomcat.apache.org/security-8.html
		https://tomcat.apache.org/security-9.html
		https://www.debian.org/security/2022/dsa-5265
		http://www.openwall.com/lists/oss-security/2022/09/28/1
2130599		https://bugzilla.redhat.com/show_bug.cgi?id=2130599
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
cpe:2.3:o:debian:debian_linux:10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
CVE-2021-43980		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43980
GHSA-jx7c-7mj5-9438		https://github.com/advisories/GHSA-jx7c-7mj5-9438
RHSA-2022:7272		https://access.redhat.com/errata/RHSA-2022:7272
RHSA-2022:7273		https://access.redhat.com/errata/RHSA-2022:7273