High severityNVD Advisory· Published Jul 14, 2020· Updated Aug 4, 2024
CVE-2020-13935
CVE-2020-13935
Description
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 10.0.0-M1, < 10.0.0-M7 | 10.0.0-M7 |
org.apache.tomcat:tomcatMaven | >= 9.0.0.M1, < 9.0.37 | 9.0.37 |
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.57 | 8.5.57 |
org.apache.tomcat:tomcatMaven | >= 7.0.27, < 7.0.105 | 7.0.105 |
org.apache.tomcat.embed:tomcat-embed-websocketMaven | >= 7.0.27, < 7.0.105 | 7.0.105 |
org.apache.tomcat.embed:tomcat-embed-websocketMaven | >= 8.5.0, < 8.5.57 | 8.5.57 |
org.apache.tomcat.embed:tomcat-embed-websocketMaven | >= 9.0.0.M1, < 9.0.37 | 9.0.37 |
org.apache.tomcat.embed:tomcat-embed-websocketMaven | >= 10.0.0-M1, < 10.0.0-M7 | 10.0.0-M7 |
org.apache.tomcat:tomcat-websocketMaven | >= 10.0.0-M1, < 10.0.0-M7 | 10.0.0-M7 |
org.apache.tomcat:tomcat-websocketMaven | >= 9.0.0.M1, < 9.0.37 | 9.0.37 |
org.apache.tomcat:tomcat-websocketMaven | >= 8.5.0, < 8.5.57 | 8.5.57 |
org.apache.tomcat:tomcat-websocketMaven | >= 7.0.27, < 7.0.105 | 7.0.105 |
Affected products
34- osv-coords33 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-websocketpkg:maven/org.apache.tomcat/tomcatpkg:maven/org.apache.tomcat/tomcat-websocketpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 7.0.27, < 7.0.105+ 32 more
- (no CPE)range: >= 7.0.27, < 7.0.105
- (no CPE)range: >= 7.0.27, < 7.0.105
- (no CPE)range: >= 10.0.0-M1, < 10.0.0-M7
- (no CPE)range: >= 10.0.0-M1, < 10.0.0-M7
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-lp151.3.27.1
- (no CPE)range: < 9.0.36-lp152.2.4.1
- (no CPE)range: < 9.0.43-8.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.36-4.41.2
- (no CPE)range: < 9.0.36-3.6.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 9.0.36-3.65.2
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.36-3.45.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.36-3.45.1
Patches
Vulnerability mechanics
References
32- lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-m7jv-hq7h-mq7cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13935ghsaADVISORY
- usn.ubuntu.com/4448-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4596-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4727ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5ghsaWEB
- github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3ghsaWEB
- github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723dghsaWEB
- github.com/apache/tomcat/commit/4c04982870d6e730c38e21e58fb653b7cf723784ghsaWEB
- github.com/apache/tomcat/commit/f9f75c14678b68633f79030ddf4ff827f014cc84ghsaWEB
- kc.mcafee.com/corporate/indexghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2020/07/msg00017.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20200724-0003ghsaWEB
- security.netapp.com/advisory/ntap-20200724-0003/mitrex_refsource_CONFIRM
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-7.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- usn.ubuntu.com/4448-1ghsaWEB
- usn.ubuntu.com/4596-1ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.