High severity7.5NVD Advisory· Published Dec 3, 2020· Updated Jun 17, 2026
CVE-2020-17527
CVE-2020-17527
Description
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-coyoteMaven | >= 10.0.0-M1, < 10.0.0-M10 | 10.0.0-M10 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0-M1, < 9.0.40 | 9.0.40 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.0, < 8.5.60 | 8.5.60 |
Affected products
21- osv-coords20 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 8.5.1, < 8.5.60+ 19 more
- (no CPE)range: >= 8.5.1, < 8.5.60
- (no CPE)range: >= 10.0.0-M1, < 10.0.0-M10
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-lp151.3.39.1
- (no CPE)range: < 9.0.36-lp152.2.16.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.36-4.53.1
- (no CPE)range: < 9.0.36-3.18.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.58.1
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 10 10.0.0-M1 to 10.0.0-M9
Patches
Vulnerability mechanics
References
49- www.oracle.com//security-alerts/cpujul2021.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpujan2022.htmlnvdPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2020/12/03/3nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-vvw4-rfwf-p6hxghsaADVISORY
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.tomcat.apache.org%3EnvdMailing ListVendor AdvisoryWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00022.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2020-17527ghsaADVISORY
- security.gentoo.org/glsa/202012-23nvdThird Party AdvisoryWEB
- security.netapp.com/advisory/ntap-20201210-0003/nvdThird Party Advisory
- www.debian.org/security/2021/dsa-4835nvdThird Party AdvisoryWEB
- bz.apache.org/bugzilla/show_bug.cgighsaWEB
- github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29ghsaWEB
- github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cbghsaWEB
- github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65ghsaWEB
- lists.apache.org/thread.html/r26a2a66339087fc37db3caf201e446d3e83b5cce314371e235ff1784@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r2d6e05c5ff96f8068a59dfdb3800e9ee8d4e36ce1971783c6e5f9b20@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5a285242737ddef4d338236328aaaf3237183e1465a5efafd16b99ed@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9fd47f1b03e9b41d16a5cf72659b533887267d3398d963c2fff3abfa@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra35c8d617b17d59f400112cebadec43ad379f98198b4a9726190d7ee@%3Cissues.guacamole.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rabbe6b3ae6a9795641d7a05c00d2378d5bbbe4240b7e20f09b092cce@%3Cissues.guacamole.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbba08c4dcef3603e36276d49adda8eedbe458c5104314b4038f697e1@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca@%3Cusers.tomcat.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20201210-0003ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- lists.apache.org/thread.html/r26a2a66339087fc37db3caf201e446d3e83b5cce314371e235ff1784%40%3Ccommits.tomee.apache.org%3Envd
- lists.apache.org/thread.html/r2d6e05c5ff96f8068a59dfdb3800e9ee8d4e36ce1971783c6e5f9b20%40%3Ccommits.tomee.apache.org%3Envd
- lists.apache.org/thread.html/r5a285242737ddef4d338236328aaaf3237183e1465a5efafd16b99ed%40%3Cdev.tomcat.apache.org%3Envd
- lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c%40%3Cdev.tomcat.apache.org%3Envd
- lists.apache.org/thread.html/r9fd47f1b03e9b41d16a5cf72659b533887267d3398d963c2fff3abfa%40%3Ccommits.tomee.apache.org%3Envd
- lists.apache.org/thread.html/ra35c8d617b17d59f400112cebadec43ad379f98198b4a9726190d7ee%40%3Cissues.guacamole.apache.org%3Envd
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d%40%3Cannounce.apache.org%3Envd
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d%40%3Cannounce.tomcat.apache.org%3Envd
- lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53%40%3Cdev.tomcat.apache.org%3Envd
- lists.apache.org/thread.html/rabbe6b3ae6a9795641d7a05c00d2378d5bbbe4240b7e20f09b092cce%40%3Cissues.guacamole.apache.org%3Envd
- lists.apache.org/thread.html/rbba08c4dcef3603e36276d49adda8eedbe458c5104314b4038f697e1%40%3Cusers.tomcat.apache.org%3Envd
- lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937%40%3Cdev.tomcat.apache.org%3Envd
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.apache.org%3Envd
- lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca%40%3Cusers.tomcat.apache.org%3Envd
News mentions
0No linked articles in our index yet.