CVE Vulnerabilities

CVE-2020-13943

Published: Oct 12, 2020 | Modified: Jun 14, 2021
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Affected Software

Name Vendor Start Version End Version
Tomcat Apache 8.5.0 8.5.0
Tomcat Apache 8.5.1 8.5.1
Tomcat Apache 8.5.2 8.5.2
Tomcat Apache 8.5.3 8.5.3
Tomcat Apache 8.5.4 8.5.4
Tomcat Apache 8.5.5 8.5.5
Tomcat Apache 8.5.6 8.5.6
Tomcat Apache 8.5.7 8.5.7
Tomcat Apache 8.5.8 8.5.8
Tomcat Apache 8.5.9 8.5.9
Tomcat Apache 8.5.10 8.5.10
Tomcat Apache 8.5.11 8.5.11
Tomcat Apache 8.5.15 8.5.15
Tomcat Apache 8.5.13 8.5.13
Tomcat Apache 8.5.14 8.5.14
Tomcat Apache 8.5.12 8.5.12
Tomcat Apache 8.5.16 8.5.16
Tomcat Apache 8.5.17 8.5.17
Tomcat Apache 8.5.18 8.5.18
Tomcat Apache 8.5.19 8.5.19
Tomcat Apache 8.5.20 8.5.20
Tomcat Apache 8.5.21 8.5.21
Tomcat Apache 8.5.22 8.5.22
Tomcat Apache 8.5.23 8.5.23
Tomcat Apache 8.5.24 8.5.24
Tomcat Apache 8.5.25 8.5.25
Tomcat Apache 8.5.26 8.5.26
Tomcat Apache 8.5.27 8.5.27
Tomcat Apache 8.5.28 8.5.28
Tomcat Apache 8.5.29 8.5.29
Tomcat Apache 8.5.30 8.5.30
Tomcat Apache 8.5.31 8.5.31
Tomcat Apache 8.5.32 8.5.32
Tomcat Apache 8.5.33 8.5.33
Tomcat Apache 8.5.34 8.5.34
Tomcat Apache 8.5.35 8.5.35
Tomcat Apache 9.0.1 9.0.1
Tomcat Apache 9.0.2 9.0.2
Tomcat Apache 9.0.3 9.0.3
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 9.0.0 9.0.0
Tomcat Apache 8.5.36 8.5.36
Tomcat Apache 8.5.37 8.5.37
Tomcat Apache 8.5.38 8.5.38
Tomcat Apache 8.5.39 8.5.39
Tomcat Apache 8.5.40 8.5.40
Tomcat Apache 8.5.41 8.5.41
Tomcat Apache 8.5.42 8.5.42
Tomcat Apache 8.5.43 8.5.43
Tomcat Apache 8.5.44 8.5.44
Tomcat Apache 8.5.45 8.5.45
Tomcat Apache 8.5.46 8.5.46
Tomcat Apache 8.5.47 8.5.47
Tomcat Apache 8.5.48 8.5.48
Tomcat Apache 8.5.49 8.5.49
Tomcat Apache 8.5.50 8.5.50
Tomcat Apache 8.5.51 8.5.51
Tomcat Apache 8.5.52 8.5.52
Tomcat Apache 8.5.53 8.5.53
Tomcat Apache 8.5.54 8.5.54
Tomcat Apache 8.5.55 8.5.55
Tomcat Apache 8.5.56 8.5.56
Tomcat Apache 8.5.57 8.5.57
Tomcat Apache 9.0.4 9.0.4
Tomcat Apache 10.0.0 10.0.0
Tomcat Apache 10.0.0 10.0.0
Tomcat Apache 10.0.0 10.0.0
Tomcat Apache 10.0.0 10.0.0
Tomcat Apache 10.0.0 10.0.0
Tomcat Apache 10.0.0 10.0.0
Tomcat Apache 9.0.5 9.0.5
Tomcat Apache 9.0.6 9.0.6
Tomcat Apache 9.0.7 9.0.7
Tomcat Apache 9.0.8 9.0.8
Tomcat Apache 9.0.9 9.0.9
Tomcat Apache 9.0.10 9.0.10
Tomcat Apache 9.0.11 9.0.11
Tomcat Apache 9.0.12 9.0.12
Tomcat Apache 9.0.13 9.0.13
Tomcat Apache 9.0.14 9.0.14
Tomcat Apache 9.0.15 9.0.15
Tomcat Apache 9.0.16 9.0.16
Tomcat Apache 9.0.17 9.0.17
Tomcat Apache 9.0.18 9.0.18
Tomcat Apache 9.0.19 9.0.19
Tomcat Apache 9.0.20 9.0.20
Tomcat Apache 9.0.21 9.0.21
Tomcat Apache 9.0.22 9.0.22
Tomcat Apache 9.0.23 9.0.23
Tomcat Apache 9.0.24 9.0.24
Tomcat Apache 9.0.25 9.0.25
Tomcat Apache 9.0.26 9.0.26
Tomcat Apache 9.0.27 9.0.27
Tomcat Apache 9.0.28 9.0.28
Tomcat Apache 9.0.29 9.0.29
Tomcat Apache 9.0.30 9.0.30
Tomcat Apache 9.0.31 9.0.31
Tomcat Apache 9.0.32 9.0.32
Tomcat Apache 9.0.33 9.0.33
Tomcat Apache 9.0.34 9.0.34
Tomcat Apache 9.0.35 9.0.35
Tomcat Apache 9.0.36 9.0.36
Tomcat Apache 9.0.37 9.0.37
Tomcat Apache 10.0.0 10.0.0
Red Hat JBoss Fuse 7 RedHat tomcat *
Red Hat JBoss Web Server 5 RedHat tomcat *
Red Hat JBoss Web Server 5.4 on RHEL 7 RedHat jws5-tomcat-0:9.0.36-9.redhat_8.1.el7jws *
Red Hat JBoss Web Server 5.4 on RHEL 7 RedHat jws5-tomcat-native-0:1.2.25-3.redhat_3.el7jws *
Red Hat JBoss Web Server 5.4 on RHEL 8 RedHat jws5-tomcat-0:9.0.36-9.redhat_8.1.el8jws *
Red Hat JBoss Web Server 5.4 on RHEL 8 RedHat jws5-tomcat-native-0:1.2.25-3.redhat_3.el8jws *
Red Hat OpenShift Application Runtimes 1.0 RedHat tomcat *
Tomcat8 Ubuntu trusty *
Tomcat9 Ubuntu trusty *
Tomcat9 Ubuntu upstream *

References