CVE-2020-11996 — Uncontrolled Resource Consumption in Apache Tomcat

CWE-400 — Uncontrolled Resource Consumption11 documents9 sources

Severity

7.5HIGHNVD

EPSS

45.1%

top 2.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Oracle Mysql Enterprise Monitor Oracle Siebel UI Framework +6 more

Timeline

PublishedJun 26

Latest updateFeb 9

Description

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NVDapache/tomcat8.5.0 — 8.5.55+3

▶CVEListV5apache/apache_tomcat10.0.0-M1 to 10.0.0-M5, 8.5.0 to 8.5.55, 9.0.0.M1 to 9.0.35+2

▶NVDoracle/siebel_ui_framework20.12

▶NVDoracle/mysql_enterprise_monitor8.0.21

▶NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 20.04

🔴Vulnerability Details

OSV

Uncontrolled Resource Consumption in Apache Tomcat↗2022-02-09

▶

GHSA

Uncontrolled Resource Consumption in Apache Tomcat↗2022-02-09

▶

OSV

tomcat9 vulnerabilities↗2020-10-21

▶

CVEList

CVE-2020-11996: A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10↗2020-06-26

▶

OSV

CVE-2020-11996: A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10↗2020-06-26

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerabilities↗2020-10-21

▶

Red Hat

tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS↗2020-06-25

▶

Debian

CVE-2020-11996: tomcat9 - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 ...↗2020

▶

Apache

Apache tomcat: CVE-2020-11996↗

▶

💬Community

Bugzilla

CVE-2020-11996 tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS↗2020-06-26

▶