Lucene search

K
nvd[email protected]NVD:CVE-2020-17527
HistoryDec 03, 2020 - 7:15 p.m.

CVE-2020-17527

2020-12-0319:15:12
CWE-200
web.nvd.nist.gov
1

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.003

Percentile

65.5%

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Affected configurations

NVD
Node
apachetomcatRange8.5.1–8.5.59
OR
apachetomcatRange9.0.1–9.0.35
OR
apachetomcatMatch9.0.0milestone10
OR
apachetomcatMatch9.0.0milestone11
OR
apachetomcatMatch9.0.0milestone12
OR
apachetomcatMatch9.0.0milestone13
OR
apachetomcatMatch9.0.0milestone14
OR
apachetomcatMatch9.0.0milestone15
OR
apachetomcatMatch9.0.0milestone16
OR
apachetomcatMatch9.0.0milestone17
OR
apachetomcatMatch9.0.0milestone18
OR
apachetomcatMatch9.0.0milestone19
OR
apachetomcatMatch9.0.0milestone20
OR
apachetomcatMatch9.0.0milestone21
OR
apachetomcatMatch9.0.0milestone22
OR
apachetomcatMatch9.0.0milestone23
OR
apachetomcatMatch9.0.0milestone24
OR
apachetomcatMatch9.0.0milestone25
OR
apachetomcatMatch9.0.0milestone26
OR
apachetomcatMatch9.0.0milestone27
OR
apachetomcatMatch9.0.0milestone5
OR
apachetomcatMatch9.0.0milestone6
OR
apachetomcatMatch9.0.0milestone7
OR
apachetomcatMatch9.0.0milestone8
OR
apachetomcatMatch9.0.0milestone9
OR
apachetomcatMatch9.0.35-3.39.1
OR
apachetomcatMatch9.0.35-3.57.3
OR
apachetomcatMatch9.0.36
OR
apachetomcatMatch9.0.37
OR
apachetomcatMatch9.0.38
OR
apachetomcatMatch9.0.39
OR
apachetomcatMatch10.0.0milestone1
OR
apachetomcatMatch10.0.0milestone2
OR
apachetomcatMatch10.0.0milestone3
OR
apachetomcatMatch10.0.0milestone4
OR
apachetomcatMatch10.0.0milestone5
OR
apachetomcatMatch10.0.0milestone6
OR
apachetomcatMatch10.0.0milestone7
OR
apachetomcatMatch10.0.0milestone8
OR
apachetomcatMatch10.0.0milestone9
Node
netappelement_plug-inMatch-vcenter_server
OR
netapponcommand_system_managerRange3.0.0–3.1.3
Node
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch10.0
Node
oracleblockchain_platformRange<21.1.2
OR
oraclecommunications_cloud_native_core_binding_support_functionMatch1.10.0
OR
oraclecommunications_cloud_native_core_policyMatch1.14.0
OR
oraclecommunications_instant_messaging_serverMatch10.0.1.5.0
OR
oracleinstantis_enterprisetrackMatch17.1
OR
oracleinstantis_enterprisetrackMatch17.2
OR
oracleinstantis_enterprisetrackMatch17.3
OR
oraclemysql_enterprise_monitorRange<8.0.23
OR
oraclesd-wan_edgeMatch9.0
OR
oracleworkload_managerMatch18c
OR
oracleworkload_managerMatch19c

References

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.003

Percentile

65.5%