QID 356256
Date Published: 2023-09-28
QID 356256: Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-011
If an http/2 client connecting to apache tomcat 10.0.0-m1 to 10.0.0-m7, 9.0.0.m1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the http/2 protocol), it was possible that a subsequent request made on that connection could contain http headers - including http/2 pseudo headers - from a previous request rather than the intended headers.
This could lead to users seeing responses for unexpected resources. (
( CVE-2020-13943)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
Solution
Please refer to Amazon advisory: ALASTOMCAT8.5-2023-011 for affected packages and patching details, or update with your package manager.
Vendor References
- ALASTOMCAT8.5-2023-011 -
alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-011.html
CVEs related to QID 356256
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALASTOMCAT8.5-2023-011 | amazon linux 2 |
alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-011.html |