CVE-2020-13943

Description

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

How to fix CVE-2020-13943

To remediate CVE-2020-13943, upgrade the affected package to a fixed version below.

• —upgrade to 8.5.1 or later
• —upgrade to 8.5.54-0+deb9u4 or later
• —upgrade to 9.0.38-1 or later
• —upgrade to 9.0.31-1~deb10u3 or later
• —upgrade to 10.0.0-M8 or later

Is CVE-2020-13943 being exploited?

Moderate — EPSS is 12.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• >= 8.5.0, < 8.5.1, >= 8.5.1, < 8.5.2, >= 8.5.2, < 8.5.3, >= 8.5.3, < 8.5.4, >= 8.5.4, < 8.5.5, >= 8.5.5, < 8.5.6, >= 8.5.6, < 8.5.7, >= 8.5.7, < 8.5.8, >= 8.5.8, < 8.5.9, >= 8.5.9, < 8.5.10, >= 8.5.10, < 8.5.11, >= 8.5.11, < 8.5.12, >= 8.5.12, < 8.5.13, >= 8.5.13, < 8.5.14, >= 8.5.14, < 8.5.15, >= 8.5.15, < 8.5.16, >= 8.5.16, < 8.5.17, >= 8.5.17, < 8.5.18, >= 8.5.18, < 8.5.19, >= 8.5.19, < 8.5.20, >= 8.5.20, < 8.5.21, >= 8.5.21, < 8.5.22, >= 8.5.22, < 8.5.23, >= 8.5.23, < 8.5.24, >= 8.5.24, < 8.5.25, >= 8.5.25, < 8.5.26, >= 8.5.26, < 8.5.27, >= 8.5.27, < 8.5.28, >= 8.5.28, < 8.5.29, >= 8.5.29, < 8.5.30, >= 8.5.30, < 8.5.31, >= 8.5.31, < 8.5.32, >= 8.5.32, < 8.5.33, >= 8.5.33, < 8.5.34, >= 8.5.34, < 8.5.35, >= 8.5.35, < 8.5.36, >= 8.5.36, < 8.5.37, >= 8.5.37, < 8.5.38, >= 8.5.38, < 8.5.39, >= 8.5.39, < 8.5.40, >= 8.5.40, < 8.5.41, >= 8.5.41, < 8.5.42, >= 8.5.42, < 8.5.43, >= 8.5.43, < 8.5.44, >= 8.5.44, < 8.5.45, >= 8.5.45, < 8.5.46, >= 8.5.46, < 8.5.47, >= 8.5.47, < 8.5.48, >= 8.5.48, < 8.5.49, >= 8.5.49, < 8.5.50, >= 8.5.50, < 8.5.51, >= 8.5.51, < 8.5.52, >= 8.5.52, < 8.5.53, >= 8.5.53, < 8.5.54, >= 8.5.54, < 8.5.55, >= 8.5.55, < 8.5.56, >= 8.5.56, < 8.5.57, >= 8.5.57, < 8.5.58, >= 9.0.0, < 9.0.38
• from 0, < 8.5.54-0+deb9u4
• from 0, < 9.0.38-1
• from 0, < 9.0.31-1~deb10u3
• >= 10.0.0-M1, < 10.0.0-M8

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13943
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-13943
• WEBlists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html
• WEBlists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html