CVE-2020-13943

Severity

43%

Complexity

27%

Confidentiality

23%

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

CVSS 3.1 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVSS 2.0 Base Score 4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N).

Overview

First reported 4 years ago

2020-10-12 14:15:00

Last updated 4 years ago

2020-11-06 01:15:00

Affected Software

Apache Software Foundation Tomcat 8.5.0

8.5.0

Apache Software Foundation Tomcat 8.5.1

8.5.1

Apache Software Foundation Tomcat 8.5.2

8.5.2

Apache Software Foundation Tomcat 8.5.3

8.5.3

Apache Software Foundation Tomcat 8.5.4

8.5.4

Apache Software Foundation Tomcat 8.5.5

8.5.5

Apache Software Foundation Tomcat 8.5.6

8.5.6

Apache Software Foundation Tomcat 8.5.7

8.5.7

Apache Software Foundation Tomcat 8.5.8

8.5.8

Apache Software Foundation Tomcat 8.5.9

8.5.9

Apache Software Foundation Tomcat 8.5.10

8.5.10

Apache Software Foundation Tomcat 8.5.11

8.5.11

Apache Software Foundation Tomcat 8.5.12

8.5.12

Apache Software Foundation Tomcat 8.5.13

8.5.13

Apache Software Foundation Tomcat 8.5.14

8.5.14

Apache Software Foundation Tomcat 8.5.15

8.5.15

Apache Software Foundation Tomcat 8.5.16

8.5.16

Apache Software Foundation Tomcat 8.5.17

8.5.17

Apache Software Foundation Tomcat 8.5.18

8.5.18

Apache Software Foundation Tomcat 8.5.19

8.5.19

Apache Software Foundation Tomcat 8.5.20

8.5.20

Apache Software Foundation Tomcat 8.5.21

8.5.21

Apache Software Foundation Tomcat 8.5.22

8.5.22

Apache Software Foundation Tomcat 8.5.23

8.5.23

Apache Software Foundation Tomcat 8.5.24

8.5.24

Apache Software Foundation Tomcat 8.5.25

8.5.25

Apache Software Foundation Tomcat 8.5.26

8.5.26

Apache Software Foundation Tomcat 8.5.27

8.5.27

Apache Software Foundation Tomcat 8.5.28

8.5.28

Apache Software Foundation Tomcat 8.5.29

8.5.29

Apache Software Foundation Tomcat 8.5.30

8.5.30

Apache Software Foundation Tomcat 8.5.31

8.5.31

Apache Software Foundation Tomcat 8.5.32

8.5.32

Apache Software Foundation Tomcat 8.5.33

8.5.33

Apache Software Foundation Tomcat 8.5.34

8.5.34

Apache Software Foundation Tomcat 8.5.35

8.5.35

Apache Software Foundation Tomcat 8.5.36

8.5.36

Apache Software Foundation Tomcat 8.5.37

8.5.37

Apache Software Foundation Tomcat 8.5.38

8.5.38

Apache Software Foundation Tomcat 8.5.39

8.5.39

Apache Software Foundation Tomcat 8.5.40

8.5.40

Apache Software Foundation Tomcat 8.5.41

8.5.41

Apache Software Foundation Tomcat 8.5.42

8.5.42

Apache Software Foundation Tomcat 8.5.43

8.5.43

Apache Software Foundation Tomcat 8.5.44

8.5.44

Apache Software Foundation Tomcat 8.5.45

8.5.45

Apache Software Foundation Tomcat 8.5.46

8.5.46

Apache Software Foundation Tomcat 8.5.47

8.5.47

Apache Software Foundation Tomcat 8.5.48

8.5.48

Apache Software Foundation Tomcat 8.5.49

8.5.49

Apache Software Foundation Tomcat 8.5.50

8.5.50

Apache Software Foundation Tomcat 8.5.51

8.5.51

Apache Software Foundation Tomcat 8.5.52

8.5.52

Apache Software Foundation Tomcat 9.0.0 Milestone 1

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 10

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 11

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 12

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 13

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 14

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 15

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 16

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 17

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 18

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 19

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 2

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 20

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 21

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 22

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 23

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 24

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 25

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 26

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 27

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 3

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 4

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 5

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 6

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 7

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 8

9.0.0

Apache Software Foundation Tomcat 9.0.0 Milestone 9

9.0.0

Apache Software Foundation Tomcat 9.0.1

9.0.1

Apache Software Foundation Tomcat 9.0.2

9.0.2

Apache Software Foundation Tomcat 9.0.3

9.0.3

Apache Software Foundation Tomcat 9.0.4

9.0.4

Apache Software Foundation Tomcat 9.0.5

9.0.5

Apache Software Foundation Tomcat 9.0.6

9.0.6

Apache Software Foundation Tomcat 9.0.7

9.0.7

Apache Software Foundation Tomcat 9.0.8

9.0.8

Apache Software Foundation Tomcat 9.0.9

9.0.9

Apache Software Foundation Tomcat 9.0.10

9.0.10

Apache Software Foundation Tomcat 9.0.11

9.0.11

Apache Software Foundation Tomcat 9.0.12

9.0.12

Apache Software Foundation Tomcat 9.0.13

9.0.13

Apache Software Foundation Tomcat 9.0.14

9.0.14

Apache Software Foundation Tomcat 9.0.15

9.0.15

Apache Software Foundation Tomcat 9.0.16

9.0.16

Apache Software Foundation Tomcat 9.0.17

9.0.17

Apache Software Foundation Tomcat 9.0.18

9.0.18

Apache Software Foundation Tomcat 9.0.19

9.0.19

Apache Software Foundation Tomcat 9.0.20

9.0.20

Apache Software Foundation Tomcat 9.0.21

9.0.21

Apache Software Foundation Tomcat 9.0.22

9.0.22

Apache Software Foundation Tomcat 9.0.23

9.0.23

Apache Software Foundation Tomcat 9.0.24

9.0.24

Apache Software Foundation Tomcat 9.0.25

9.0.25

Apache Software Foundation Tomcat 9.0.26

9.0.26

Apache Software Foundation Tomcat 9.0.27

9.0.27

Apache Software Foundation Tomcat 9.0.28

9.0.28

Apache Software Foundation Tomcat 9.0.29

9.0.29

Apache Software Foundation Tomcat 9.0.30

9.0.30

Apache Software Foundation Tomcat 9.0.31

9.0.31

Apache Software Foundation Tomcat 9.0.32

9.0.32

Apache Software Foundation Tomcat 10.0.0 Milestone 1

10.0.0

Apache Software Foundation Tomcat 10.0.0 Milestone 2

10.0.0

Debian Linux 9.0

9.0

References

https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E

[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update

https://security.netapp.com/advisory/ntap-20201016-0007/

https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E

Vendor Advisory

[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update

Third Party Advisory

https://security.netapp.com/advisory/ntap-20201016-0007/

Third Party Advisory

openSUSE-SU-2020:1799

openSUSE-SU-2020:1799

Mailing List, Third Party Advisory

openSUSE-SU-2020:1842

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.