Updated: 2025-12-14 04:17:26.55073
Description:
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 4.4 |
| CVSS Version 3.x | HIGH | 7.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| CentOS 7 ELS | tomcat | 7.0.76 | 7.0 | HIGH | Released | CLSA-2024:1716916085 | 2024-06-15 11:27:55 | |
| Debian 10 ELS | tomcat9 | 9.0.31 | 7.0 | HIGH | Already Fixed | 2025-10-23 14:58:10 | ||
| Ubuntu 16.04 ELS | tomcat7 | 7.0.68-1 | 7.0 | HIGH | Released | CLSA-2022:1655757814 | 2022-06-20 18:20:34 | |
| Ubuntu 16.04 ELS | tomcat8 | 8.0.32-1 | 7.0 | HIGH | Released | CLSA-2024:1724260496 | 2024-08-21 14:29:44 | |
| Ubuntu 18.04 ELS | tomcat9 | 9.0.16-3 | 7.0 | HIGH | Already Fixed | 2023-06-02 09:09:42 | ||
| Ubuntu 18.04 ELS | tomcat8 | 8.5.39-1 | 7.0 | HIGH | Released | CLSA-2023:1691083477 | 2023-08-03 14:08:44 |