Is spectrum tomcat affected by CVE-2021-25122 and CVE-2021-25329. Any hotfix for this CVE?
Spectrum version: 10.4.3.0.21
Release : 20.2
Component : Spectrum Core / SpectroSERVER
1. CVE-2021-25122 : This will happen in case of h2c requests, where server supports http2 and makes the cleartext request. But spectrum support http/1.1 and hence NOT affected.
2. CVE-2021-25329 : This can be exploited when a user gets access to a file on the server. Later they can execute the file with scripts/malware on it. This can be a possible concern.
Tomcat sever 9.0.43 tomcat is provided In the next release of Spectrum, and hence these two CVEs are plugged.