Apache Tomcat – CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484.
Jason Davies
