High severityNVD Advisory· Published Jul 14, 2020· Updated Aug 4, 2024
CVE-2020-13934
CVE-2020-13934
Description
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 10.0.0-M1, < 10.0.0-M6 | 10.0.0-M6 |
org.apache.tomcat:tomcatMaven | >= 9.0.0.M5, < 9.0.36 | 9.0.36 |
org.apache.tomcat:tomcatMaven | >= 8.5.1, < 8.5.56 | 8.5.56 |
org.apache.tomcat:tomcat-coyoteMaven | >= 10.0.0-M1, < 10.0.0-M6 | 10.0.0-M6 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0.M5, < 9.0.36 | 9.0.36 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.1, < 8.5.56 | 8.5.56 |
Affected products
21- osv-coords19 versionspkg:bitnami/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 8.5.1, < 8.5.57+ 18 more
- (no CPE)range: >= 8.5.1, < 8.5.57
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-lp151.3.27.1
- (no CPE)range: < 9.0.36-lp152.2.4.1
- (no CPE)range: < 9.0.43-8.1
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.36-4.41.2
- (no CPE)range: < 9.0.36-3.6.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.45.1
Patches
Vulnerability mechanics
References
18- lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-vf77-8h7g-gghpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13934ghsaADVISORY
- usn.ubuntu.com/4596-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4727ghsavendor-advisoryx_refsource_DEBIANWEB
- lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/07/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20200724-0003ghsaWEB
- security.netapp.com/advisory/ntap-20200724-0003/mitrex_refsource_CONFIRM
- usn.ubuntu.com/4596-1ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.