CVE-2020-11996
published 2020-06-26CVE-2020-11996: A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apache_tomcat | — | — |
| apache | apache_tomcat | — | — |
| apache | apache_tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | 8.5.0 – 8.5.55 | — |
| apache | tomcat | 9.0.0 – 9.0.35 | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tomcat9 | < tomcat9 9.0.36-1 (bookworm) | tomcat9 9.0.36-1 (bookworm) |
| netapp | oncommand_system_manager | — | — |
| netapp | oncommand_system_manager | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| oracle | mysql_enterprise_monitor | <= 8.0.21 | — |
| oracle | siebel_ui_framework | <= 20.12 | — |
| oracle | workload_manager | — | — |
| oracle | workload_manager | — | — |
| oracle | workload_manager | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH