CVE-2020-13943
MEDIUM4.3EPSS 12.1%tomcat9 - security update
Published: 2/9/2022Modified: 4/28/2026
Description
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
Affected packages (5)
- Bitnami/tomcat>= 8.5.0, < 8.5.1, >= 8.5.1, < 8.5.2, >= 8.5.2, < 8.5.3, >= 8.5.3, < 8.5.4, >= 8.5.4, < 8.5.5, >= 8.5.5, < 8.5.6, >= 8.5.6, < 8.5.7, >= 8.5.7, < 8.5.8, >= 8.5.8, < 8.5.9, >= 8.5.9, < 8.5.10, >= 8.5.10, < 8.5.11, >= 8.5.11, < 8.5.12, >= 8.5.12, < 8.5.13, >= 8.5.13, < 8.5.14, >= 8.5.14, < 8.5.15, >= 8.5.15, < 8.5.16, >= 8.5.16, < 8.5.17, >= 8.5.17, < 8.5.18, >= 8.5.18, < 8.5.19, >= 8.5.19, < 8.5.20, >= 8.5.20, < 8.5.21, >= 8.5.21, < 8.5.22, >= 8.5.22, < 8.5.23, >= 8.5.23, < 8.5.24, >= 8.5.24, < 8.5.25, >= 8.5.25, < 8.5.26, >= 8.5.26, < 8.5.27, >= 8.5.27, < 8.5.28, >= 8.5.28, < 8.5.29, >= 8.5.29, < 8.5.30, >= 8.5.30, < 8.5.31, >= 8.5.31, < 8.5.32, >= 8.5.32, < 8.5.33, >= 8.5.33, < 8.5.34, >= 8.5.34, < 8.5.35, >= 8.5.35, < 8.5.36, >= 8.5.36, < 8.5.37, >= 8.5.37, < 8.5.38, >= 8.5.38, < 8.5.39, >= 8.5.39, < 8.5.40, >= 8.5.40, < 8.5.41, >= 8.5.41, < 8.5.42, >= 8.5.42, < 8.5.43, >= 8.5.43, < 8.5.44, >= 8.5.44, < 8.5.45, >= 8.5.45, < 8.5.46, >= 8.5.46, < 8.5.47, >= 8.5.47, < 8.5.48, >= 8.5.48, < 8.5.49, >= 8.5.49, < 8.5.50, >= 8.5.50, < 8.5.51, >= 8.5.51, < 8.5.52, >= 8.5.52, < 8.5.53, >= 8.5.53, < 8.5.54, >= 8.5.54, < 8.5.55, >= 8.5.55, < 8.5.56, >= 8.5.56, < 8.5.57, >= 8.5.57, < 8.5.58, >= 9.0.0, < 9.0.38
- Debian/tomcat8from 0, < 8.5.54-0+deb9u4
- Debian/tomcat9from 0, < 9.0.38-1
- Debian/tomcat9from 0, < 9.0.31-1~deb10u3
- Maven/org.apache.tomcat:tomcat-coyote>= 10.0.0-M1, < 10.0.0-M8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13943
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-13943
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html
- WEBhttps://github.com/apache/tomcat/commit/1bbc650cbc3f08d85a1ec6d803c47ae53a84f3bb
- WEBhttps://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b
- WEBhttps://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a
- WEBhttps://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.debian.org/debian-lts-announce/2020/10/msg00019.html
- WEBhttps://security.netapp.com/advisory/ntap-20201016-0007
- WEBhttps://security.netapp.com/advisory/ntap-20201016-0007/
- WEBhttps://www.debian.org/security/2021/dsa-4835
- WEBhttps://www.oracle.com/security-alerts/cpuApr2021.html