Lucene search

K
tomcatApache TomcatTOMCAT:72A659F35396F865D9A18EB5614CF486
HistoryJul 05, 2020 - 12:00 a.m.

Fixed in Apache Tomcat 8.5.57

2020-07-0500:00:00
Apache Tomcat
tomcat.apache.org
27

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.89 High

EPSS

Percentile

98.7%

Important: WebSocket DoS CVE-2020-13935

The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

This was fixed with commit 12d71567.

This issue was reported publicly via the Apache Bugzilla instance on 28 June 2020 and included references to high CPU but no specific reference to denial of service. The associated DoS risks were identified by the Apache Tomcat Security Team the same day. The issue was made public on 14 July 2020.

Affects: 8.5.0 to 8.5.56

Moderate: HTTP/2 DoS CVE-2020-13934

An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

This was fixed with commit 923d8345.

This issue was reported publicly via the Apache Tomcat Users mailing list on 22 June 2020 without reference to the potential for DoS. After further discussion to identify the steps necessary to reproduce the issue, the root cause of the issue and the associated DoS risks were identified by the Apache Tomcat Security Team on 26 June 2020. The issue was made public on 14 July 2020.

Affects: 8.5.1 to 8.5.56

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.89 High

EPSS

Percentile

98.7%