CVE-2020-13943
Summary
| CVE | CVE-2020-13943 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-10-12 14:15:00 UTC |
| Updated | 2023-01-31 21:44:00 UTC |
| Description | If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 8.5.0 | All | All | All |
| Application | Apache | Tomcat | 8.5.1 | All | All | All |
| Application | Apache | Tomcat | 8.5.10 | All | All | All |
| Application | Apache | Tomcat | 8.5.11 | All | All | All |
| Application | Apache | Tomcat | 8.5.12 | All | All | All |
| Application | Apache | Tomcat | 8.5.13 | All | All | All |
| Application | Apache | Tomcat | 8.5.14 | All | All | All |
| Application | Apache | Tomcat | 8.5.15 | All | All | All |
| Application | Apache | Tomcat | 8.5.16 | All | All | All |
| Application | Apache | Tomcat | 8.5.17 | All | All | All |
| Application | Apache | Tomcat | 8.5.18 | All | All | All |
| Application | Apache | Tomcat | 8.5.19 | All | All | All |
| Application | Apache | Tomcat | 8.5.2 | All | All | All |
| Application | Apache | Tomcat | 8.5.20 | All | All | All |
| Application | Apache | Tomcat | 8.5.21 | All | All | All |
| Application | Apache | Tomcat | 8.5.22 | All | All | All |
| Application | Apache | Tomcat | 8.5.23 | All | All | All |
| Application | Apache | Tomcat | 8.5.24 | All | All | All |
| Application | Apache | Tomcat | 8.5.25 | All | All | All |
| Application | Apache | Tomcat | 8.5.26 | All | All | All |
| Application | Apache | Tomcat | 8.5.27 | All | All | All |
| Application | Apache | Tomcat | 8.5.28 | All | All | All |
| Application | Apache | Tomcat | 8.5.29 | All | All | All |
| Application | Apache | Tomcat | 8.5.3 | All | All | All |
| Application | Apache | Tomcat | 8.5.30 | All | All | All |
| Application | Apache | Tomcat | 8.5.31 | All | All | All |
| Application | Apache | Tomcat | 8.5.32 | All | All | All |
| Application | Apache | Tomcat | 8.5.33 | All | All | All |
| Application | Apache | Tomcat | 8.5.34 | All | All | All |
| Application | Apache | Tomcat | 8.5.35 | All | All | All |
| Application | Apache | Tomcat | 8.5.36 | All | All | All |
| Application | Apache | Tomcat | 8.5.37 | All | All | All |
| Application | Apache | Tomcat | 8.5.38 | All | All | All |
| Application | Apache | Tomcat | 8.5.39 | All | All | All |
| Application | Apache | Tomcat | 8.5.4 | All | All | All |
| Application | Apache | Tomcat | 8.5.40 | All | All | All |
| Application | Apache | Tomcat | 8.5.41 | All | All | All |
| Application | Apache | Tomcat | 8.5.42 | All | All | All |
| Application | Apache | Tomcat | 8.5.43 | All | All | All |
| Application | Apache | Tomcat | 8.5.44 | All | All | All |
| Application | Apache | Tomcat | 8.5.45 | All | All | All |
| Application | Apache | Tomcat | 8.5.46 | All | All | All |
| Application | Apache | Tomcat | 8.5.47 | All | All | All |
| Application | Apache | Tomcat | 8.5.48 | All | All | All |
| Application | Apache | Tomcat | 8.5.49 | All | All | All |
| Application | Apache | Tomcat | 8.5.5 | All | All | All |
| Application | Apache | Tomcat | 8.5.50 | All | All | All |
| Application | Apache | Tomcat | 8.5.51 | All | All | All |
| Application | Apache | Tomcat | 8.5.52 | All | All | All |
| Application | Apache | Tomcat | 8.5.53 | All | All | All |
| Application | Apache | Tomcat | 8.5.54 | All | All | All |
| Application | Apache | Tomcat | 8.5.55 | All | All | All |
| Application | Apache | Tomcat | 8.5.56 | All | All | All |
| Application | Apache | Tomcat | 8.5.57 | All | All | All |
| Application | Apache | Tomcat | 8.5.6 | All | All | All |
| Application | Apache | Tomcat | 8.5.7 | All | All | All |
| Application | Apache | Tomcat | 8.5.8 | All | All | All |
| Application | Apache | Tomcat | 8.5.9 | All | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.1 | All | All | All |
| Application | Apache | Tomcat | 9.0.10 | All | All | All |
| Application | Apache | Tomcat | 9.0.11 | All | All | All |
| Application | Apache | Tomcat | 9.0.12 | All | All | All |
| Application | Apache | Tomcat | 9.0.13 | All | All | All |
| Application | Apache | Tomcat | 9.0.14 | All | All | All |
| Application | Apache | Tomcat | 9.0.15 | All | All | All |
| Application | Apache | Tomcat | 9.0.16 | All | All | All |
| Application | Apache | Tomcat | 9.0.17 | All | All | All |
| Application | Apache | Tomcat | 9.0.18 | All | All | All |
| Application | Apache | Tomcat | 9.0.19 | All | All | All |
| Application | Apache | Tomcat | 9.0.2 | All | All | All |
| Application | Apache | Tomcat | 9.0.20 | All | All | All |
| Application | Apache | Tomcat | 9.0.21 | All | All | All |
| Application | Apache | Tomcat | 9.0.22 | All | All | All |
| Application | Apache | Tomcat | 9.0.23 | All | All | All |
| Application | Apache | Tomcat | 9.0.24 | All | All | All |
| Application | Apache | Tomcat | 9.0.25 | All | All | All |
| Application | Apache | Tomcat | 9.0.26 | All | All | All |
| Application | Apache | Tomcat | 9.0.27 | All | All | All |
| Application | Apache | Tomcat | 9.0.28 | All | All | All |
| Application | Apache | Tomcat | 9.0.29 | All | All | All |
| Application | Apache | Tomcat | 9.0.3 | All | All | All |
| Application | Apache | Tomcat | 9.0.30 | All | All | All |
| Application | Apache | Tomcat | 9.0.31 | All | All | All |
| Application | Apache | Tomcat | 9.0.32 | All | All | All |
| Application | Apache | Tomcat | 9.0.33 | All | All | All |
| Application | Apache | Tomcat | 9.0.34 | All | All | All |
| Application | Apache | Tomcat | 9.0.35 | All | All | All |
| Application | Apache | Tomcat | 9.0.36 | All | All | All |
| Application | Apache | Tomcat | 9.0.37 | All | All | All |
| Application | Apache | Tomcat | 9.0.4 | All | All | All |
| Application | Apache | Tomcat | 9.0.5 | All | All | All |
| Application | Apache | Tomcat | 9.0.6 | All | All | All |
| Application | Apache | Tomcat | 9.0.7 | All | All | All |
| Application | Apache | Tomcat | 9.0.8 | All | All | All |
| Application | Apache | Tomcat | 9.0.9 | All | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 10.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 8.5.0 | All | All | All |
| Application | Apache | Tomcat | 8.5.1 | All | All | All |
| Application | Apache | Tomcat | 8.5.10 | All | All | All |
| Application | Apache | Tomcat | 8.5.11 | All | All | All |
| Application | Apache | Tomcat | 8.5.12 | All | All | All |
| Application | Apache | Tomcat | 8.5.13 | All | All | All |
| Application | Apache | Tomcat | 8.5.14 | All | All | All |
| Application | Apache | Tomcat | 8.5.15 | All | All | All |
| Application | Apache | Tomcat | 8.5.16 | All | All | All |
| Application | Apache | Tomcat | 8.5.17 | All | All | All |
| Application | Apache | Tomcat | 8.5.18 | All | All | All |
| Application | Apache | Tomcat | 8.5.19 | All | All | All |
| Application | Apache | Tomcat | 8.5.2 | All | All | All |
| Application | Apache | Tomcat | 8.5.20 | All | All | All |
| Application | Apache | Tomcat | 8.5.21 | All | All | All |
| Application | Apache | Tomcat | 8.5.22 | All | All | All |
| Application | Apache | Tomcat | 8.5.23 | All | All | All |
| Application | Apache | Tomcat | 8.5.24 | All | All | All |
| Application | Apache | Tomcat | 8.5.25 | All | All | All |
| Application | Apache | Tomcat | 8.5.26 | All | All | All |
| Application | Apache | Tomcat | 8.5.27 | All | All | All |
| Application | Apache | Tomcat | 8.5.28 | All | All | All |
| Application | Apache | Tomcat | 8.5.29 | All | All | All |
| Application | Apache | Tomcat | 8.5.3 | All | All | All |
| Application | Apache | Tomcat | 8.5.30 | All | All | All |
| Application | Apache | Tomcat | 8.5.31 | All | All | All |
| Application | Apache | Tomcat | 8.5.32 | All | All | All |
| Application | Apache | Tomcat | 8.5.33 | All | All | All |
| Application | Apache | Tomcat | 8.5.34 | All | All | All |
| Application | Apache | Tomcat | 8.5.35 | All | All | All |
| Application | Apache | Tomcat | 8.5.36 | All | All | All |
| Application | Apache | Tomcat | 8.5.37 | All | All | All |
| Application | Apache | Tomcat | 8.5.38 | All | All | All |
| Application | Apache | Tomcat | 8.5.39 | All | All | All |
| Application | Apache | Tomcat | 8.5.4 | All | All | All |
| Application | Apache | Tomcat | 8.5.40 | All | All | All |
| Application | Apache | Tomcat | 8.5.41 | All | All | All |
| Application | Apache | Tomcat | 8.5.42 | All | All | All |
| Application | Apache | Tomcat | 8.5.43 | All | All | All |
| Application | Apache | Tomcat | 8.5.44 | All | All | All |
| Application | Apache | Tomcat | 8.5.45 | All | All | All |
| Application | Apache | Tomcat | 8.5.46 | All | All | All |
| Application | Apache | Tomcat | 8.5.47 | All | All | All |
| Application | Apache | Tomcat | 8.5.48 | All | All | All |
| Application | Apache | Tomcat | 8.5.49 | All | All | All |
| Application | Apache | Tomcat | 8.5.5 | All | All | All |
| Application | Apache | Tomcat | 8.5.50 | All | All | All |
| Application | Apache | Tomcat | 8.5.51 | All | All | All |
| Application | Apache | Tomcat | 8.5.52 | All | All | All |
| Application | Apache | Tomcat | 8.5.53 | All | All | All |
| Application | Apache | Tomcat | 8.5.54 | All | All | All |
| Application | Apache | Tomcat | 8.5.55 | All | All | All |
| Application | Apache | Tomcat | 8.5.56 | All | All | All |
| Application | Apache | Tomcat | 8.5.57 | All | All | All |
| Application | Apache | Tomcat | 8.5.6 | All | All | All |
| Application | Apache | Tomcat | 8.5.7 | All | All | All |
| Application | Apache | Tomcat | 8.5.8 | All | All | All |
| Application | Apache | Tomcat | 8.5.9 | All | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.1 | All | All | All |
| Application | Apache | Tomcat | 9.0.10 | All | All | All |
| Application | Apache | Tomcat | 9.0.11 | All | All | All |
| Application | Apache | Tomcat | 9.0.12 | All | All | All |
| Application | Apache | Tomcat | 9.0.13 | All | All | All |
| Application | Apache | Tomcat | 9.0.14 | All | All | All |
| Application | Apache | Tomcat | 9.0.15 | All | All | All |
| Application | Apache | Tomcat | 9.0.16 | All | All | All |
| Application | Apache | Tomcat | 9.0.17 | All | All | All |
| Application | Apache | Tomcat | 9.0.18 | All | All | All |
| Application | Apache | Tomcat | 9.0.19 | All | All | All |
| Application | Apache | Tomcat | 9.0.2 | All | All | All |
| Application | Apache | Tomcat | 9.0.20 | All | All | All |
| Application | Apache | Tomcat | 9.0.21 | All | All | All |
| Application | Apache | Tomcat | 9.0.22 | All | All | All |
| Application | Apache | Tomcat | 9.0.23 | All | All | All |
| Application | Apache | Tomcat | 9.0.24 | All | All | All |
| Application | Apache | Tomcat | 9.0.25 | All | All | All |
| Application | Apache | Tomcat | 9.0.26 | All | All | All |
| Application | Apache | Tomcat | 9.0.27 | All | All | All |
| Application | Apache | Tomcat | 9.0.28 | All | All | All |
| Application | Apache | Tomcat | 9.0.29 | All | All | All |
| Application | Apache | Tomcat | 9.0.3 | All | All | All |
| Application | Apache | Tomcat | 9.0.30 | All | All | All |
| Application | Apache | Tomcat | 9.0.31 | All | All | All |
| Application | Apache | Tomcat | 9.0.32 | All | All | All |
| Application | Apache | Tomcat | 9.0.33 | All | All | All |
| Application | Apache | Tomcat | 9.0.34 | All | All | All |
| Application | Apache | Tomcat | 9.0.35 | All | All | All |
| Application | Apache | Tomcat | 9.0.36 | All | All | All |
| Application | Apache | Tomcat | 9.0.37 | All | All | All |
| Application | Apache | Tomcat | 9.0.4 | All | All | All |
| Application | Apache | Tomcat | 9.0.5 | All | All | All |
| Application | Apache | Tomcat | 9.0.6 | All | All | All |
| Application | Apache | Tomcat | 9.0.7 | All | All | All |
| Application | Apache | Tomcat | 9.0.8 | All | All | All |
| Application | Apache | Tomcat | 9.0.9 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.2 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | 17.3 | All | All | All |
| Application | Oracle | Sd-wan Edge | 9.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] [DLA 2407-1] tomcat8 security update | MLIST | lists.debian.org | Third Party Advisory |
| Pony Mail! | MISC | lists.apache.org | Vendor Advisory |
| CVE-2020-13943 Apache Tomcat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2020:1799-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-4835-1 tomcat9 | DEBIAN | www.debian.org | |
| [security-announce] openSUSE-SU-2020:1842-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 198724 Ubuntu Security Notification for Tomcat Vulnerabilities (USN-5360-1)
- 20275 Oracle Database 18c Critical OJVM Patch Update - April 2021
- 20278 Oracle Database 19c Critical OJVM Patch Update - April 2021
- 239735 Red Hat Update for red hat jboss web server 5.4.1 (RHSA-2021:0494)
- 356256 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-011
- 730013 Apache Tomcat HTTP2 Client Information Disclosure Vulnerability(CVE-2020-13943)
- 730166 Atlassian Jira Server And Data Center Security Update (JRASERVER-72706)