First published: Mon Oct 12 2020(Updated: )
A flaw was found in Apache Tomcat. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. The highest threat from this vulnerability is to data confidentiality.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.apache.tomcat:tomcat-coyote | >=8.5.0<=8.5.57 | 8.5.58 |
maven/org.apache.tomcat:tomcat-coyote | >=9.0.0-M1<=9.0.37 | 9.0.38 |
maven/org.apache.tomcat:tomcat-coyote | >=10.0.0-M1<=10.0.0-M7 | 10.0.0-M8 |
redhat/jws5-tomcat | <0:9.0.36-9.redhat_8.1.el7 | 0:9.0.36-9.redhat_8.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.25-3.redhat_3.el7 | 0:1.2.25-3.redhat_3.el7 |
redhat/jws5-tomcat | <0:9.0.36-9.redhat_8.1.el8 | 0:9.0.36-9.redhat_8.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.25-3.redhat_3.el8 | 0:1.2.25-3.redhat_3.el8 |
Apache Tomcat | =8.5.0 | |
Apache Tomcat | =8.5.1 | |
Apache Tomcat | =8.5.2 | |
Apache Tomcat | =8.5.3 | |
Apache Tomcat | =8.5.4 | |
Apache Tomcat | =8.5.5 | |
Apache Tomcat | =8.5.6 | |
Apache Tomcat | =8.5.7 | |
Apache Tomcat | =8.5.8 | |
Apache Tomcat | =8.5.9 | |
Apache Tomcat | =8.5.10 | |
Apache Tomcat | =8.5.11 | |
Apache Tomcat | =8.5.12 | |
Apache Tomcat | =8.5.13 | |
Apache Tomcat | =8.5.14 | |
Apache Tomcat | =8.5.15 | |
Apache Tomcat | =8.5.16 | |
Apache Tomcat | =8.5.17 | |
Apache Tomcat | =8.5.18 | |
Apache Tomcat | =8.5.19 | |
Apache Tomcat | =8.5.20 | |
Apache Tomcat | =8.5.21 | |
Apache Tomcat | =8.5.22 | |
Apache Tomcat | =8.5.23 | |
Apache Tomcat | =8.5.24 | |
Apache Tomcat | =8.5.25 | |
Apache Tomcat | =8.5.26 | |
Apache Tomcat | =8.5.27 | |
Apache Tomcat | =8.5.28 | |
Apache Tomcat | =8.5.29 | |
Apache Tomcat | =8.5.30 | |
Apache Tomcat | =8.5.31 | |
Apache Tomcat | =8.5.32 | |
Apache Tomcat | =8.5.33 | |
Apache Tomcat | =8.5.34 | |
Apache Tomcat | =8.5.35 | |
Apache Tomcat | =8.5.36 | |
Apache Tomcat | =8.5.37 | |
Apache Tomcat | =8.5.38 | |
Apache Tomcat | =8.5.39 | |
Apache Tomcat | =8.5.40 | |
Apache Tomcat | =8.5.41 | |
Apache Tomcat | =8.5.42 | |
Apache Tomcat | =8.5.43 | |
Apache Tomcat | =8.5.44 | |
Apache Tomcat | =8.5.45 | |
Apache Tomcat | =8.5.46 | |
Apache Tomcat | =8.5.47 | |
Apache Tomcat | =8.5.48 | |
Apache Tomcat | =8.5.49 | |
Apache Tomcat | =8.5.50 | |
Apache Tomcat | =8.5.51 | |
Apache Tomcat | =8.5.52 | |
Apache Tomcat | =8.5.53 | |
Apache Tomcat | =8.5.54 | |
Apache Tomcat | =8.5.55 | |
Apache Tomcat | =8.5.56 | |
Apache Tomcat | =8.5.57 | |
Apache Tomcat | =9.0.0-milestone10 | |
Apache Tomcat | =9.0.0-milestone11 | |
Apache Tomcat | =9.0.0-milestone12 | |
Apache Tomcat | =9.0.0-milestone13 | |
Apache Tomcat | =9.0.0-milestone14 | |
Apache Tomcat | =9.0.0-milestone15 | |
Apache Tomcat | =9.0.0-milestone16 | |
Apache Tomcat | =9.0.0-milestone17 | |
Apache Tomcat | =9.0.0-milestone18 | |
Apache Tomcat | =9.0.0-milestone19 | |
Apache Tomcat | =9.0.0-milestone20 | |
Apache Tomcat | =9.0.0-milestone21 | |
Apache Tomcat | =9.0.0-milestone22 | |
Apache Tomcat | =9.0.0-milestone23 | |
Apache Tomcat | =9.0.0-milestone24 | |
Apache Tomcat | =9.0.0-milestone25 | |
Apache Tomcat | =9.0.0-milestone26 | |
Apache Tomcat | =9.0.0-milestone27 | |
Apache Tomcat | =9.0.0-milestone5 | |
Apache Tomcat | =9.0.0-milestone6 | |
Apache Tomcat | =9.0.0-milestone7 | |
Apache Tomcat | =9.0.0-milestone8 | |
Apache Tomcat | =9.0.0-milestone9 | |
Apache Tomcat | =9.0.1 | |
Apache Tomcat | =9.0.2 | |
Apache Tomcat | =9.0.3 | |
Apache Tomcat | =9.0.4 | |
Apache Tomcat | =9.0.5 | |
Apache Tomcat | =9.0.6 | |
Apache Tomcat | =9.0.7 | |
Apache Tomcat | =9.0.8 | |
Apache Tomcat | =9.0.9 | |
Apache Tomcat | =9.0.10 | |
Apache Tomcat | =9.0.11 | |
Apache Tomcat | =9.0.12 | |
Apache Tomcat | =9.0.13 | |
Apache Tomcat | =9.0.14 | |
Apache Tomcat | =9.0.15 | |
Apache Tomcat | =9.0.16 | |
Apache Tomcat | =9.0.17 | |
Apache Tomcat | =9.0.18 | |
Apache Tomcat | =9.0.19 | |
Apache Tomcat | =9.0.20 | |
Apache Tomcat | =9.0.21 | |
Apache Tomcat | =9.0.22 | |
Apache Tomcat | =9.0.23 | |
Apache Tomcat | =9.0.24 | |
Apache Tomcat | =9.0.25 | |
Apache Tomcat | =9.0.26 | |
Apache Tomcat | =9.0.27 | |
Apache Tomcat | =9.0.28 | |
Apache Tomcat | =9.0.29 | |
Apache Tomcat | =9.0.30 | |
Apache Tomcat | =9.0.31 | |
Apache Tomcat | =9.0.32 | |
Apache Tomcat | =9.0.33 | |
Apache Tomcat | =9.0.34 | |
Apache Tomcat | =9.0.35 | |
Apache Tomcat | =9.0.36 | |
Apache Tomcat | =9.0.37 | |
Apache Tomcat | =10.0.0-milestone1 | |
Apache Tomcat | =10.0.0-milestone2 | |
Apache Tomcat | =10.0.0-milestone3 | |
Apache Tomcat | =10.0.0-milestone4 | |
Apache Tomcat | =10.0.0-milestone5 | |
Apache Tomcat | =10.0.0-milestone6 | |
Apache Tomcat | =10.0.0-milestone7 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Oracle SD-WAN Edge | =9.0 | |
IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
redhat/tomcat | <10.0.0 | 10.0.0 |
redhat/tomcat | <9.0.38 | 9.0.38 |
redhat/tomcat | <8.5.58 | 8.5.58 |
debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 9.0.95-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)