CVE-2021-30639

Name: CVE-2021-30639
Creator: NVD / NIST
Published: 2021-07-12T15:15:08.333+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 6.89%

Last modified Jun 17, 2026

CVE-2021-30639 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. EPSS estimates a 6.89% chance of exploitation in the next 30 days.

Description

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

6.89%

93.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-755

Affected Software

Vendor	Product	Versions
Apache	Tomcat	8.5.64
Apache	Tomcat	9.0.44
Apache	Tomcat	10.0.3
Apache	Tomcat	10.0.4
Mcafee	Epolicy Orchestrator	< 5.10.0
Mcafee	Epolicy Orchestrator	5.10.0
Oracle	Big Data Spatial And Graph	< 23.1

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3EMailing List, Vendor Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10366Third Party Advisory
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3EMailing List, Vendor Advisory
https://security.gentoo.org/glsa/202208-34Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory

Timeline

Published: Jul 12, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-30639?

How severe is CVE-2021-30639?

CVE-2021-30639 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 6.89% probability of exploitation in the next 30 days.

How do I fix CVE-2021-30639?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-30639?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST