Vulnerability from bitnami_vulndb
Published
2024-03-06 11:11
Modified
2025-11-06 13:25
Summary
Details
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "tomcat",
"purl": "pkg:bitnami/tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.0"
},
{
"fixed": "8.5.1"
},
{
"introduced": "8.5.1"
},
{
"fixed": "8.5.2"
},
{
"introduced": "8.5.2"
},
{
"fixed": "8.5.3"
},
{
"introduced": "8.5.3"
},
{
"fixed": "8.5.4"
},
{
"introduced": "8.5.4"
},
{
"fixed": "8.5.5"
},
{
"introduced": "8.5.5"
},
{
"fixed": "8.5.6"
},
{
"introduced": "8.5.6"
},
{
"fixed": "8.5.7"
},
{
"introduced": "8.5.7"
},
{
"fixed": "8.5.8"
},
{
"introduced": "8.5.8"
},
{
"fixed": "8.5.9"
},
{
"introduced": "8.5.9"
},
{
"fixed": "8.5.10"
},
{
"introduced": "8.5.10"
},
{
"fixed": "8.5.11"
},
{
"introduced": "8.5.11"
},
{
"fixed": "8.5.12"
},
{
"introduced": "8.5.12"
},
{
"fixed": "8.5.13"
},
{
"introduced": "8.5.13"
},
{
"fixed": "8.5.14"
},
{
"introduced": "8.5.14"
},
{
"fixed": "8.5.15"
},
{
"introduced": "8.5.15"
},
{
"fixed": "8.5.16"
},
{
"introduced": "8.5.16"
},
{
"fixed": "8.5.17"
},
{
"introduced": "8.5.17"
},
{
"fixed": "8.5.18"
},
{
"introduced": "8.5.18"
},
{
"fixed": "8.5.19"
},
{
"introduced": "8.5.19"
},
{
"fixed": "8.5.20"
},
{
"introduced": "8.5.20"
},
{
"fixed": "8.5.21"
},
{
"introduced": "8.5.21"
},
{
"fixed": "8.5.22"
},
{
"introduced": "8.5.22"
},
{
"fixed": "8.5.23"
},
{
"introduced": "8.5.23"
},
{
"fixed": "8.5.24"
},
{
"introduced": "8.5.24"
},
{
"fixed": "8.5.25"
},
{
"introduced": "8.5.25"
},
{
"fixed": "8.5.26"
},
{
"introduced": "8.5.26"
},
{
"fixed": "8.5.27"
},
{
"introduced": "8.5.27"
},
{
"fixed": "8.5.28"
},
{
"introduced": "8.5.28"
},
{
"fixed": "8.5.29"
},
{
"introduced": "8.5.29"
},
{
"fixed": "8.5.30"
},
{
"introduced": "8.5.30"
},
{
"fixed": "8.5.31"
},
{
"introduced": "8.5.31"
},
{
"fixed": "8.5.32"
},
{
"introduced": "8.5.32"
},
{
"fixed": "8.5.33"
},
{
"introduced": "8.5.33"
},
{
"fixed": "8.5.34"
},
{
"introduced": "8.5.34"
},
{
"fixed": "8.5.35"
},
{
"introduced": "8.5.35"
},
{
"fixed": "8.5.36"
},
{
"introduced": "8.5.36"
},
{
"fixed": "8.5.37"
},
{
"introduced": "8.5.37"
},
{
"fixed": "8.5.38"
},
{
"introduced": "8.5.38"
},
{
"fixed": "8.5.39"
},
{
"introduced": "8.5.39"
},
{
"fixed": "8.5.40"
},
{
"introduced": "8.5.40"
},
{
"fixed": "8.5.41"
},
{
"introduced": "8.5.41"
},
{
"fixed": "8.5.42"
},
{
"introduced": "8.5.42"
},
{
"fixed": "8.5.43"
},
{
"introduced": "8.5.43"
},
{
"fixed": "8.5.44"
},
{
"introduced": "8.5.44"
},
{
"fixed": "8.5.45"
},
{
"introduced": "8.5.45"
},
{
"fixed": "8.5.46"
},
{
"introduced": "8.5.46"
},
{
"fixed": "8.5.47"
},
{
"introduced": "8.5.47"
},
{
"fixed": "8.5.48"
},
{
"introduced": "8.5.48"
},
{
"fixed": "8.5.49"
},
{
"introduced": "8.5.49"
},
{
"fixed": "8.5.50"
},
{
"introduced": "8.5.50"
},
{
"fixed": "8.5.51"
},
{
"introduced": "8.5.51"
},
{
"fixed": "8.5.52"
},
{
"introduced": "8.5.52"
},
{
"fixed": "8.5.53"
},
{
"introduced": "8.5.53"
},
{
"fixed": "8.5.54"
},
{
"introduced": "8.5.54"
},
{
"fixed": "8.5.55"
},
{
"introduced": "8.5.55"
},
{
"fixed": "8.5.56"
},
{
"introduced": "8.5.56"
},
{
"fixed": "8.5.57"
},
{
"introduced": "8.5.57"
},
{
"fixed": "8.5.58"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.38"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2020-13943"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.16:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.17:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.18:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.19:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.20:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.21:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.22:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.23:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.24:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.25:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.26:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.27:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.28:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.29:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.30:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.32:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.33:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.34:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.35:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.36:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.37:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.38:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.39:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.40:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.41:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.42:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.43:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.44:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.45:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.46:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.47:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.48:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.49:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.51:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.52:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.53:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.54:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.55:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.56:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.57:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.11:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.12:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.13:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.14:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.15:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.16:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.17:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.18:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.19:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.20:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.21:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.22:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.23:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.24:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.25:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.26:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.27:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.28:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.29:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.31:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.32:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.33:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.35:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.36:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.37:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:9.0.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.",
"id": "BIT-tomcat-2020-13943",
"modified": "2025-11-06T13:25:46.476Z",
"published": "2024-03-06T11:11:40.396Z",
"references": [
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00019.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201016-0007/"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4835"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13943"
}
],
"schema_version": "1.5.0"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…