Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-13943 (GCVE-0-2020-13943)
Vulnerability from cvelistv5 – Published: 2020-10-12 13:46 – Updated: 2024-08-04 12:32
VLAI?
EPSS
Summary
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Tomcat |
Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37, 8.5.0 to 8.5.57
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.470Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1799",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"name": "openSUSE-SU-2020:1842",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"name": "DSA-4835",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Tomcat",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37, 8.5.0 to 8.5.57"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-14T17:20:16.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1799",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"name": "openSUSE-SU-2020:1842",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"name": "DSA-4835",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13943",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Tomcat",
"version": {
"version_data": [
{
"version_value": "Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37, 8.5.0 to 8.5.57"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1799",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"name": "openSUSE-SU-2020:1842",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"name": "DSA-4835",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201016-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13943",
"datePublished": "2020-10-12T13:46:47.000Z",
"dateReserved": "2020-06-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T12:32:14.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2020-13943
Vulnerability from fkie_nvd - Published: 2020-10-12 14:15 - Updated: 2024-11-21 05:02
Severity ?
Summary
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "69A7FC28-A0EC-4516-9776-700343D2F4DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "18814653-6D44-47D9-A2F5-89C5AFB255F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D4D811A9-4988-4C11-AA27-F5BE2B93D8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAEF824D-7E95-4BC1-8DBB-787DCE595E21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "97F4A2B3-DB1D-4D0B-B5FF-7EE2A0D291BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B461D5A-1208-498F-B551-46C6D514AC2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "598E5D91-0165-4D55-9EDD-EBB5AAAD1172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4B6B61B7-09A3-41C8-8333-0417C14CC87E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "95A139BA-CD3C-42F5-88BA-BE7BE58246D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "876EADA5-60AD-4849-BE10-61C75AA75053",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1814F8DE-2060-411F-9FCC-6EC42AF5663D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF6DBF7-BB0A-4AE6-84DA-51428ACF47CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A34F72ED-04FE-4EDE-BB18-BE8B1E99EEF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "3245C35C-02E7-46B9-A720-37D3C17AFDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F4239A72-EFA1-49E3-8755-5961060F2198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*",
"matchCriteriaId": "C9053CCE-1175-47F9-BF27-7586F082AF83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*",
"matchCriteriaId": "70D3EC47-945C-4B5A-B5B7-C14AE327AC2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*",
"matchCriteriaId": "B723AFDD-0A51-43A1-AB0F-A529FF9B7889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*",
"matchCriteriaId": "7D2200BA-FFD0-411E-BFF4-D6C495F57FE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*",
"matchCriteriaId": "00550F53-352F-40E5-A6EE-16BE28DD00AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*",
"matchCriteriaId": "8D17F903-C184-4B33-97C9-FF4355C2847E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*",
"matchCriteriaId": "1E267CF3-397C-4844-91E7-D2550C33D9A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*",
"matchCriteriaId": "394519F4-0F58-456E-A999-163992D9A918",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*",
"matchCriteriaId": "0C6CCD68-88F1-46D5-AB18-67833E3FF5FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*",
"matchCriteriaId": "ACCB8093-D873-4002-A5AE-355277A723CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*",
"matchCriteriaId": "8CD61473-1BDD-4540-A86B-D632D015A580",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*",
"matchCriteriaId": "D87B8D77-9245-4D7A-97A9-126E22280AC2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*",
"matchCriteriaId": "962A6252-DE4A-4F1C-A521-493D8F0893DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*",
"matchCriteriaId": "33A3953F-E30A-457A-A70F-CE9880C9B90D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*",
"matchCriteriaId": "31E349E2-15A4-4912-AE1E-6A87435820B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*",
"matchCriteriaId": "5A2A0AAA-3466-4D26-AD39-1C4F593D9FDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*",
"matchCriteriaId": "046CAC7B-4214-49C5-A386-D1AF240A5DF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*",
"matchCriteriaId": "A880C043-F8FF-4944-9FAC-150BF03121D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*",
"matchCriteriaId": "F9A7908B-BA6F-4B4A-848C-D97FF57A252B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.34:*:*:*:*:*:*:*",
"matchCriteriaId": "048A0A60-AC69-4817-AD50-63BF81D446D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4C1361C3-24D6-4697-B9D5-555EB5CF0451",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.36:*:*:*:*:*:*:*",
"matchCriteriaId": "A30D4E8D-2293-473E-88B1-FB2C71E46D76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.37:*:*:*:*:*:*:*",
"matchCriteriaId": "A6A910D4-9EC9-4D7E-AE15-C3F4D96321A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*",
"matchCriteriaId": "DC3A3FA5-7F1B-4440-A85A-F3E791FE19C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.39:*:*:*:*:*:*:*",
"matchCriteriaId": "C0C107D4-6A4F-4CC8-8406-EB18D9BD7DD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.40:*:*:*:*:*:*:*",
"matchCriteriaId": "AA489EF3-71D2-46DD-BB22-7F25688152E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.41:*:*:*:*:*:*:*",
"matchCriteriaId": "DF53B9F3-1E1A-4C95-921C-4F9836B89A89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.42:*:*:*:*:*:*:*",
"matchCriteriaId": "3586242F-DCEB-4840-A0D8-E2DD0A6C4E01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.43:*:*:*:*:*:*:*",
"matchCriteriaId": "1CAE6BEA-21B0-434F-B035-B1FDB6331BE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.44:*:*:*:*:*:*:*",
"matchCriteriaId": "C44B9431-967F-495A-B36E-AD971369CD90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.45:*:*:*:*:*:*:*",
"matchCriteriaId": "0B27860E-6F36-4C98-B818-CBB8F1697DDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.46:*:*:*:*:*:*:*",
"matchCriteriaId": "9C3D3F12-8F04-45A3-AE22-D874A7B3DE69",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.47:*:*:*:*:*:*:*",
"matchCriteriaId": "4720C3C9-3420-4521-A332-BA212A6F6596",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.48:*:*:*:*:*:*:*",
"matchCriteriaId": "9642D59E-9AB9-4D53-8833-EBFE1881BEDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.49:*:*:*:*:*:*:*",
"matchCriteriaId": "DEA04289-8940-4B66-AD9A-257D8A1FA0A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*",
"matchCriteriaId": "029598EB-C89A-41F6-B4CE-3D9ED838A2D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.51:*:*:*:*:*:*:*",
"matchCriteriaId": "10539698-A88B-40D0-B8BC-B4CE2E608AD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.52:*:*:*:*:*:*:*",
"matchCriteriaId": "B11E81D7-B260-4CA7-B7C3-DF388B02175F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.53:*:*:*:*:*:*:*",
"matchCriteriaId": "CB6D6B17-7FA6-43C0-9FF4-5F649280AD79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.54:*:*:*:*:*:*:*",
"matchCriteriaId": "83AC9644-97E7-47F9-8C6A-7F675B7FFDC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.55:*:*:*:*:*:*:*",
"matchCriteriaId": "EB71B43A-F838-47A3-99DB-02B92574678A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.56:*:*:*:*:*:*:*",
"matchCriteriaId": "879D56E7-241E-4EB1-ACD4-137E59F862AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.57:*:*:*:*:*:*:*",
"matchCriteriaId": "E99BB895-7A73-4326-89B3-77B770F4D1E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A4355F36-B223-4819-8272-751EBB68782F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5962DD4-006E-42F3-A0B0-A1787C0E9384",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6B0D2EE9-1220-4A81-93E6-97FFD3960CFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2F4ABA66-A344-43F1-98A0-4CD5D8728F0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3AC22738-4B74-4EE5-8B13-50D8A4997B37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7C2A8AF6-D725-4244-B866-E20F228BBAD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "45978B9B-95B5-47F9-9332-CACCFDFEABD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6D017BA3-6495-43EC-9670-475081DE3548",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "2EE8A916-AD03-485F-AB4A-FC121A3F8E28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "7F4FF034-1FA4-4393-8B45-75C32819E10E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "743E0EFB-F2B3-4C9A-AD7E-AB157135DCA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0F0377FB-9C66-4CA7-A418-0BBB26BE5CC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "10D018EE-9780-4976-9461-C2B45F3EF835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "F4A94099-DEEC-44BE-9CEB-229F69018A42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "536CD6F1-EA2B-40B1-A179-06C7BD701435",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FB533E0D-4ABE-4778-B546-90CE2543BB82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "556FE8EE-C73C-49E4-8E7F-4C033BB1230F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "C4EE9ED2-BA38-4C91-9EC2-02F972335354",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "C3385F07-0D52-494F-BA3E-38D747654363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "0D13E0C5-7438-4445-A420-1713C0512D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "F403DCBB-7E1F-4D61-BE9A-CA61AC2A7CF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "A78D7E11-D5D4-4F41-9220-B2093FEC9A85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "4D97FF00-EFAF-4663-9653-9A922C7A27CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "C5129FB1-7972-46C1-AFDF-B42E94257750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "7BF9B8DF-D408-4CC1-98C9-DF19E746A5F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "CC72E8A5-1187-4127-9162-9E003B0043C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "A2DADCAB-DB66-49A8-9932-E004347A87D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "D0533743-6F28-48CB-94B0-F8E1BF023909",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "CED05E4E-FD16-4F3C-A82A-92C94B143986",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "7A20C09D-79FB-4F7C-A56D-D10E76F432C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "74CB0853-920E-4CBC-B2C0-017E769424CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "FC53AE53-D872-4943-85B3-0E5D23A20A68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "1938D623-92F0-4C4B-9AF7-C822A8ED7D81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "66AD3F53-98FA-40B5-9B4F-55F3D6C35B96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "F0CD6C44-4E62-41FC-8E2F-C02A0CF10D6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "236DC804-3275-4395-BFAA-260E66AB752B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:9.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "41F32E7D-12E8-4EC9-A504-7CA293CC8821",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "94B95C95-DF3E-49C1-9CA0-4474DD7EF7B8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77E39D5C-5EFA-4FEB-909E-0A92004F2563",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources."
},
{
"lang": "es",
"value": "Si un cliente HTTP/2 conectado a Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M7, versiones 9.0.0.M1 hasta 9.0.37 o versiones 8.5.0 hasta 8.5.57, excedi\u00f3 el n\u00famero m\u00e1ximo acordado de transmisiones simult\u00e1neas para una conexi\u00f3n (en violaci\u00f3n del protocolo HTTP/2), era posible que una petici\u00f3n subsiguiente realizada en esa conexi\u00f3n pudiera contener encabezados HTTP, incluyendo los pseudo encabezados HTTP/2, de una petici\u00f3n anterior en lugar de los encabezados previstos.\u0026#xa0;Esto podr\u00eda conllevar que los usuarios visualicen respuestas para recursos inesperados"
}
],
"id": "CVE-2020-13943",
"lastModified": "2024-11-21T05:02:11.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-12T14:15:12.183",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"source": "security@apache.org",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"source": "security@apache.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-F268-65QC-98VG
Vulnerability from github – Published: 2022-02-09 23:03 – Updated: 2022-02-09 23:03
VLAI?
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Details
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
Severity ?
4.3 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.0-M7"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0-M1"
},
{
"fixed": "10.0.0-M8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.37"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M1"
},
{
"fixed": "9.0.38"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.5.57"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-coyote"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.58"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-13943"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-12T18:12:07Z",
"nvd_published_at": "2020-10-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"id": "GHSA-f268-65qc-98vg",
"modified": "2022-02-09T23:03:53Z",
"published": "2022-02-09T23:03:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13943"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/1bbc650cbc3f08d85a1ec6d803c47ae53a84f3bb"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201016-0007"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat"
}
CERTFR-2021-AVI-951
Vulnerability from certfr_avis - Published: 2021-12-15 - Updated: 2021-12-15
De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64 | ||
| SolarWinds | Platform | Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le | ||
| Red Hat | N/A | Red Hat Integration Text-Only Advisories x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Openshift Application Runtimes Text-Only Advisories x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Integration - Camel K 1 x86_64 | ||
| SolarWinds | Platform | Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le | ||
| Red Hat | N/A | Red Hat Fuse 1 x86_64 | ||
| SolarWinds | Platform | Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat JBoss Data Grid Text-Only Advisories x86_64 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for Power 4.8 for RHEL 8 ppc64le",
"product": {
"name": "Platform",
"vendor": {
"name": "SolarWinds",
"scada": false
}
}
},
{
"description": "Red Hat Integration Text-Only Advisories x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV - Telecommunications Update Service 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Openshift Application Runtimes Text-Only Advisories x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Integration - Camel K 1 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform 4.8 for RHEL 8 x86_64",
"product": {
"name": "Platform",
"vendor": {
"name": "SolarWinds",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Fuse 1 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.8 for RHEL 8 s390x",
"product": {
"name": "Platform",
"vendor": {
"name": "SolarWinds",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time - Telecommunications Update Service 8.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat JBoss Data Grid Text-Only Advisories x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-27223",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27223"
},
{
"name": "CVE-2020-27218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27218"
},
{
"name": "CVE-2021-21343",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
},
{
"name": "CVE-2021-29425",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29425"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2021-22118",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22118"
},
{
"name": "CVE-2020-2875",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2875"
},
{
"name": "CVE-2021-3536",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3536"
},
{
"name": "CVE-2021-28169",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
},
{
"name": "CVE-2021-21348",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
},
{
"name": "CVE-2020-11988",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11988"
},
{
"name": "CVE-2020-35510",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35510"
},
{
"name": "CVE-2021-45606",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45606"
},
{
"name": "CVE-2020-2934",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2934"
},
{
"name": "CVE-2021-21344",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
},
{
"name": "CVE-2020-26259",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
},
{
"name": "CVE-2021-3597",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3597"
},
{
"name": "CVE-2021-28170",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28170"
},
{
"name": "CVE-2021-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
},
{
"name": "CVE-2020-13949",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
},
{
"name": "CVE-2021-4104",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4104"
},
{
"name": "CVE-2021-3690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3690"
},
{
"name": "CVE-2020-17521",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-17521"
},
{
"name": "CVE-2021-22696",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22696"
},
{
"name": "CVE-2021-28163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2020-9488",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9488"
},
{
"name": "CVE-2021-21347",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
},
{
"name": "CVE-2021-27568",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27568"
},
{
"name": "CVE-2020-26217",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
},
{
"name": "CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"name": "CVE-2021-23926",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23926"
},
{
"name": "CVE-2019-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10744"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2021-21346",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
},
{
"name": "CVE-2021-30468",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30468"
},
{
"name": "CVE-2021-21351",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
},
{
"name": "CVE-2021-21345",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
},
{
"name": "CVE-2020-28491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28491"
},
{
"name": "CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"name": "CVE-2021-37714",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37714"
},
{
"name": "CVE-2019-12415",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12415"
},
{
"name": "CVE-2021-20218",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20218"
},
{
"name": "CVE-2020-27782",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-27782"
},
{
"name": "CVE-2021-30129",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
},
{
"name": "CVE-2020-17527",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-17527"
},
{
"name": "CVE-2021-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
},
{
"name": "CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"name": "CVE-2020-13943",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13943"
},
{
"name": "CVE-2020-15522",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15522"
},
{
"name": "CVE-2021-28164",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
},
{
"name": "CVE-2020-11987",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11987"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2021-21342",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
},
{
"name": "CVE-2021-3629",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3629"
},
{
"name": "CVE-2021-21350",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
},
{
"name": "CVE-2021-34428",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
}
],
"initial_release_date": "2021-12-15T00:00:00",
"last_revision_date": "2021-12-15T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5101 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHBA-2021:5101"
}
],
"reference": "CERTFR-2021-AVI-951",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-12-15T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de\nRedHat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service et une\natteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de RedHat",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5130 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5130"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHBA-2021:5114 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHBA-2021:5114"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5138 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5138"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5132 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5132"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5126 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5126"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5134 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5134"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5133 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5133"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5108 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5108"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2021:5093 du 14 d\u00e9cembre 2021",
"url": "https://access.redhat.com/errata/RHSA-2021:5093"
}
]
}
GSD-2020-13943
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-13943",
"description": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"id": "GSD-2020-13943",
"references": [
"https://www.suse.com/security/cve/CVE-2020-13943.html",
"https://www.debian.org/security/2021/dsa-4835",
"https://access.redhat.com/errata/RHSA-2021:5134",
"https://access.redhat.com/errata/RHSA-2021:4012",
"https://access.redhat.com/errata/RHSA-2021:0495",
"https://access.redhat.com/errata/RHSA-2021:0494",
"https://advisories.mageia.org/CVE-2020-13943.html",
"https://ubuntu.com/security/CVE-2020-13943"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-13943"
],
"details": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"id": "GSD-2020-13943",
"modified": "2023-12-13T01:21:46.829234Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13943",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Tomcat",
"version": {
"version_data": [
{
"version_value": "Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37, 8.5.0 to 8.5.57"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1799",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"name": "openSUSE-SU-2020:1842",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"name": "DSA-4835",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201016-0007/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[9.0.0,9.0.37),[8.5.0,8.5.57)",
"affected_versions": "All versions starting from 9.0.0 before 9.0.37, all versions starting from 8.5.0 before 8.5.57",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-02-09",
"description": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"fixed_versions": [
"9.0.37",
"8.5.57"
],
"identifier": "CVE-2020-13943",
"identifiers": [
"GHSA-f268-65qc-98vg",
"CVE-2020-13943"
],
"not_impacted": "",
"package_slug": "maven/org.apache.tomcat.embed/tomcat-embed-core",
"pubdate": "2022-02-09",
"solution": "Upgrade to versions 9.0.37, 8.5.57 or above.",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-13943",
"https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html",
"https://security.netapp.com/advisory/ntap-20201016-0007/",
"https://www.debian.org/security/2021/dsa-4835",
"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html",
"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://github.com/advisories/GHSA-f268-65qc-98vg"
],
"uuid": "46208f3e-23e6-4526-ba5d-4d5f1a7b6362"
},
{
"affected_range": "[8.5.0,8.5.57],[9.0.0,9.0.37],[10.0.0]",
"affected_versions": "All versions starting from 8.5.0 up to 8.5.57, all versions starting from 9.0.0 up to 9.0.37, version 10.0.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-06-14",
"description": "If an `HTTP/2` client connecting to Apache Tomcat to M1 to to exceeded the agreed maximum number of concurrent streams for a connection (in violation of the `HTTP/2` protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including `HTTP/2` pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"fixed_versions": [],
"identifier": "CVE-2020-13943",
"identifiers": [
"CVE-2020-13943"
],
"not_impacted": "",
"package_slug": "maven/org.apache.tomcat/coyote",
"pubdate": "2020-10-12",
"solution": "Unfortunately, there is no solution available yet.",
"title": "HTTP Request Smuggling",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-13943"
],
"uuid": "11cbbf92-46d4-4e90-8fca-a08bb77922ed"
},
{
"affected_range": "[8.5.0,8.5.57],[9.0.0,9.0.37],[10.0.0]",
"affected_versions": "All versions starting from 8.5.0 up to 8.5.57, all versions starting from 9.0.0 up to 9.0.37, version 10.0.0",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-06-14",
"description": "If a `HTTP/2` client connecting to Apache Tomcat exceeded the agreed maximum number of concurrent streams for a connection (in violation of the `HTTP/2` protocol), it was possible that a subsequent request made on that connection could contain HTTP headers from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"fixed_versions": [
"8.5.58",
"9.0.38"
],
"identifier": "CVE-2020-13943",
"identifiers": [
"CVE-2020-13943"
],
"not_impacted": "All versions before 8.5.0, all versions after 8.5.57 before 9.0.0, all versions after 9.0.37 before 10.0.0, all versions after 10.0.0",
"package_slug": "maven/org.apache.tomcat/tomcat-coyote",
"pubdate": "2020-10-12",
"solution": "Upgrade to versions 8.5.58, 9.0.38 or above.",
"title": "HTTP Request Smuggling",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-13943"
],
"uuid": "fe2fc6d1-377a-424f-b9b4-8204517ef1e4"
},
{
"affected_range": "[10.0.0-M1,10.0.0-M6],[9.0.0-M1,9.0.37),[8.5.0,8.5.57)",
"affected_versions": "All versions starting from 10.0.0-m1 up to 10.0.0-m6, all versions starting from 9.0.0-m1 before 9.0.37, all versions starting from 8.5.0 before 8.5.57",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-02-09",
"description": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"fixed_versions": [
"10.0.0-M7",
"10.0.0-M7",
"10.0.0-M7",
"8.5.57"
],
"identifier": "CVE-2020-13943",
"identifiers": [
"GHSA-f268-65qc-98vg",
"CVE-2020-13943"
],
"not_impacted": "All versions before 10.0.0-m1, all versions after 10.0.0-m6, all versions before 9.0.0-m1, all versions starting from 9.0.37, all versions before 8.5.0, all versions starting from 8.5.57",
"package_slug": "maven/org.apache.tomcat/tomcat",
"pubdate": "2022-02-09",
"solution": "Upgrade to versions 10.0.0-M7, 10.0.0-M7, 10.0.0-M7, 8.5.57 or above.",
"title": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-13943",
"https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html",
"https://security.netapp.com/advisory/ntap-20201016-0007/",
"https://www.debian.org/security/2021/dsa-4835",
"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html",
"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://github.com/advisories/GHSA-f268-65qc-98vg"
],
"uuid": "789ecb27-8b76-4897-8126-a21b7dc348f1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.22:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.23:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.24:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.25:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.26:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.27:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.28:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.33:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.34:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.39:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.40:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.41:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.42:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.43:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.44:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.45:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.46:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.47:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.48:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.49:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.51:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.52:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.53:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.54:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.55:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.56:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.57:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13943"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update",
"refsource": "MLIST",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201016-0007/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
},
{
"name": "openSUSE-SU-2020:1799",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"name": "openSUSE-SU-2020:1842",
"refsource": "SUSE",
"tags": [
"Broken Link"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"name": "DSA-4835",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2023-01-31T21:44Z",
"publishedDate": "2020-10-12T14:15Z"
}
}
}
bit-tomcat-2020-13943
Vulnerability from bitnami_vulndb
Published
2024-03-06 11:11
Modified
2025-11-06 13:25
Summary
Details
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "tomcat",
"purl": "pkg:bitnami/tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.1"
},
{
"introduced": "8.5.1"
},
{
"fixed": "8.5.2"
},
{
"introduced": "8.5.2"
},
{
"fixed": "8.5.3"
},
{
"introduced": "8.5.3"
},
{
"fixed": "8.5.4"
},
{
"introduced": "8.5.4"
},
{
"fixed": "8.5.5"
},
{
"introduced": "8.5.5"
},
{
"fixed": "8.5.6"
},
{
"introduced": "8.5.6"
},
{
"fixed": "8.5.7"
},
{
"introduced": "8.5.7"
},
{
"fixed": "8.5.8"
},
{
"introduced": "8.5.8"
},
{
"fixed": "8.5.9"
},
{
"introduced": "8.5.9"
},
{
"fixed": "8.5.10"
},
{
"introduced": "8.5.10"
},
{
"fixed": "8.5.11"
},
{
"introduced": "8.5.11"
},
{
"fixed": "8.5.12"
},
{
"introduced": "8.5.12"
},
{
"fixed": "8.5.13"
},
{
"introduced": "8.5.13"
},
{
"fixed": "8.5.14"
},
{
"introduced": "8.5.14"
},
{
"fixed": "8.5.15"
},
{
"introduced": "8.5.15"
},
{
"fixed": "8.5.16"
},
{
"introduced": "8.5.16"
},
{
"fixed": "8.5.17"
},
{
"introduced": "8.5.17"
},
{
"fixed": "8.5.18"
},
{
"introduced": "8.5.18"
},
{
"fixed": "8.5.19"
},
{
"introduced": "8.5.19"
},
{
"fixed": "8.5.20"
},
{
"introduced": "8.5.20"
},
{
"fixed": "8.5.21"
},
{
"introduced": "8.5.21"
},
{
"fixed": "8.5.22"
},
{
"introduced": "8.5.22"
},
{
"fixed": "8.5.23"
},
{
"introduced": "8.5.23"
},
{
"fixed": "8.5.24"
},
{
"introduced": "8.5.24"
},
{
"fixed": "8.5.25"
},
{
"introduced": "8.5.25"
},
{
"fixed": "8.5.26"
},
{
"introduced": "8.5.26"
},
{
"fixed": "8.5.27"
},
{
"introduced": "8.5.27"
},
{
"fixed": "8.5.28"
},
{
"introduced": "8.5.28"
},
{
"fixed": "8.5.29"
},
{
"introduced": "8.5.29"
},
{
"fixed": "8.5.30"
},
{
"introduced": "8.5.30"
},
{
"fixed": "8.5.31"
},
{
"introduced": "8.5.31"
},
{
"fixed": "8.5.32"
},
{
"introduced": "8.5.32"
},
{
"fixed": "8.5.33"
},
{
"introduced": "8.5.33"
},
{
"fixed": "8.5.34"
},
{
"introduced": "8.5.34"
},
{
"fixed": "8.5.35"
},
{
"introduced": "8.5.35"
},
{
"fixed": "8.5.36"
},
{
"introduced": "8.5.36"
},
{
"fixed": "8.5.37"
},
{
"introduced": "8.5.37"
},
{
"fixed": "8.5.38"
},
{
"introduced": "8.5.38"
},
{
"fixed": "8.5.39"
},
{
"introduced": "8.5.39"
},
{
"fixed": "8.5.40"
},
{
"introduced": "8.5.40"
},
{
"fixed": "8.5.41"
},
{
"introduced": "8.5.41"
},
{
"fixed": "8.5.42"
},
{
"introduced": "8.5.42"
},
{
"fixed": "8.5.43"
},
{
"introduced": "8.5.43"
},
{
"fixed": "8.5.44"
},
{
"introduced": "8.5.44"
},
{
"fixed": "8.5.45"
},
{
"introduced": "8.5.45"
},
{
"fixed": "8.5.46"
},
{
"introduced": "8.5.46"
},
{
"fixed": "8.5.47"
},
{
"introduced": "8.5.47"
},
{
"fixed": "8.5.48"
},
{
"introduced": "8.5.48"
},
{
"fixed": "8.5.49"
},
{
"introduced": "8.5.49"
},
{
"fixed": "8.5.50"
},
{
"introduced": "8.5.50"
},
{
"fixed": "8.5.51"
},
{
"introduced": "8.5.51"
},
{
"fixed": "8.5.52"
},
{
"introduced": "8.5.52"
},
{
"fixed": "8.5.53"
},
{
"introduced": "8.5.53"
},
{
"fixed": "8.5.54"
},
{
"introduced": "8.5.54"
},
{
"fixed": "8.5.55"
},
{
"introduced": "8.5.55"
},
{
"fixed": "8.5.56"
},
{
"introduced": "8.5.56"
},
{
"fixed": "8.5.57"
},
{
"introduced": "8.5.57"
},
{
"fixed": "8.5.58"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.38"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2020-13943"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.34:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.35:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.36:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.37:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.39:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.40:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.41:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.42:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.43:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.44:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.45:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.46:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.47:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.48:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.49:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.51:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.52:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.53:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.54:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.55:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.56:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.57:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.31:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.32:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.33:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.35:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.36:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.37:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"id": "BIT-tomcat-2020-13943",
"modified": "2025-11-06T13:25:46.476Z",
"published": "2024-03-06T11:11:40.396Z",
"references": [
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13943"
}
],
"schema_version": "1.5.0"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…