CVE-2020-13934

Published Jul 14, 2020
Last updated a year ago
CVSS high 7.5
Overview

Description: An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
Source: security@apache.org
NVD status: Modified
Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH
CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:N/A:P
Weaknesses

nvd@nist.gov: CWE-401
Hype score: Not currently trending
Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC12DC95-E469-4172-B8EE-5465CCB0D834",
            "versionEndIncluding": "8.5.56",
            "versionStartIncluding": "8.5.1"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6BECF310-3247-4CE3-87F2-0E88C0278341",
            "versionEndIncluding": "9.0.36",
            "versionStartIncluding": "9.0.1"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "90CD7E85-4FF9-4158-AC78-4BFCBC882A65"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7EA56B52-1015-40CD-B10C-393768094269"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "501B0D4A-D636-4736-979B-D5023599CEFB"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "94E7764F-BF9E-463E-B446-A9A8DB92BB97"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "53A9F7EE-AF2A-43E5-B708-0198784AB45A"
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AC872C5F-63AF-4BB8-8629-334FC9704AE8"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "34B80C9D-62AA-42FA-AB46-F8A414FCBE5E",
            "versionEndIncluding": "3.1.3",
            "versionStartIncluding": "3.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"
          },
          {
            "criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64"
          },
          {
            "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D"
          },
          {
            "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "ED43772F-D280-42F6-A292-7198284D6FE7"
          },
          {
            "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C4A94B36-479F-48F2-9B9E-ACEA2589EF48"
          },
          {
            "criteria": "cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9C5E9A12-BFE9-4963-A360-A34168A6BF6A"
          },
          {
            "criteria": "cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CA2E1357-E3A1-461C-B7A0-A9446E45496D"
          },
          {
            "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "70C60E6C-1A61-422B-A132-FB024761F576",
            "versionEndIncluding": "8.0.21"
          },
          {
            "criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "30DB69BD-0F6E-4AB5-A861-7CB911C35660",
            "versionEndIncluding": "20.12"
          },
          {
            "criteria": "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD848FE1-CFD7-490C-B008-DF3B30F3256F"
          },
          {
            "criteria": "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "630C8E99-FE49-486E-9003-40B82809B7A3"
          },
          {
            "criteria": "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C842DE9E-5E12-4295-AFA5-DEB5FEDE490A"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]
Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References
