[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-MGASA-2021-0485":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":22,"duplicates":23,"related":24,"reserved_at":9,"published_at":29,"modified_at":30,"state":9,"summary":31,"references_raw":33,"kevs":74,"epss":9,"epss_history":75,"metrics":76,"affected":77},"MGASA-2021-0485","Updated tomcat packages fix security vulnerability\n\nA vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to\nauthenticate using variations of a valid user name and/or to bypass some\nof the protection provided by the LockOut Realm. (CVE-2021-30640)\n\nApache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66\ndid not correctly parse the HTTP transfer-encoding request header in some\ncircumstances leading to the possibility to request smuggling when used\nwith a reverse proxy. Specifically: - Tomcat incorrectly ignored the\ntransfer encoding header if the client declared it would only accept an\nHTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat\ndid not ensure that, if present, the chunked encoding was the final\nencoding. (CVE-2021-33037)\n\nApache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2\ndid not properly validate incoming TLS packets. When Tomcat was configured\nto use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet\ncould be used to trigger an infinite loop resulting in a denial of service.\n(CVE-2021-41079)\n\nThe fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5,\n10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a\nmemory leak. The object introduced to collect metrics for HTTP upgrade\nconnections was not released for WebSocket connections once the\nconnection was closed. This created a memory leak that, over time, could\nlead to a denial of service via an OutOfMemoryError. (CVE-2021-42340)\n",null,[],[],[],[14,16,18,20],{"_key":15},"CVE-2021-30640",{"_key":17},"CVE-2021-33037",{"_key":19},"CVE-2021-41079",{"_key":21},"CVE-2021-42340",[],[],[25,26,27,28],{"_key":15},{"_key":17},{"_key":19},{"_key":21},"2021-10-23T10:05:28Z","2026-04-16T04:24:27.230941Z",{"cisa_kev":32,"cisa_ransomware":32,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[34,40,45,50,54,58,62,66,70],{"url":35,"sources":36,"tags":38},"https://advisories.mageia.org/MGASA-2021-0485.html",[37],"osv_mageia",[39],"Advisory",{"url":41,"sources":42,"tags":43},"https://bugs.mageia.org/show_bug.cgi?id=29351",[37],[44],"REPORT",{"url":46,"sources":47,"tags":48},"https://www.debian.org/security/2021/dsa-4952",[37],[44,49],"WEB",{"url":51,"sources":52,"tags":53},"http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.48",[37],[44,49],{"url":55,"sources":56,"tags":57},"http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44",[37],[44,49],{"url":59,"sources":60,"tags":61},"https://www.openwall.com/lists/oss-security/2021/09/15/6",[37],[44,49],{"url":63,"sources":64,"tags":65},"http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54",[37],[44,49],{"url":67,"sources":68,"tags":69},"https://www.openwall.com/lists/oss-security/2021/10/14/1",[37],[44,49],{"url":71,"sources":72,"tags":73},"https://www.debian.org/security/2021/dsa-4986",[37],[44,49],[],[],[],[78],{"ecosystem":79,"name":80,"vendor":81,"product":80,"cpe_part":9,"purl_type":82,"purl_namespace":81,"purl_name":80,"source":9,"versions":83},"Mageia","tomcat","mageia","rpm",[84],{"version":85,"is_range":86,"range_type":87,"version_start":9,"version_start_type":9,"version_end":88,"version_end_type":89,"fixed_in":9},"lt9_0_54_1_mga8",true,"ecosystem","9.0.54-1.mga8","excluding"]