A vulnerability in the embedded Tomcat can lead to users seeing responses of other users. This problem is only related to HTTP/2.
Full problem description
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122
Next Axon.ivy Engine Versions will be delivered with new patch versions of Tomcat.
- 7.0.23 -> Tomcat 8.5.63
- 8.0.14 -> Tomcat 9.0.43
- 9.2.0 -> Tomcat 9.0.43