CVE-2020-11996Uncontrolled Resource Consumption in Apache Tomcat

CWE-400Uncontrolled Resource Consumption11 documents9 sources
Severity
7.5HIGHNVD
EPSS
45.1%
top 2.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Apache TomcatOracle Mysql Enterprise MonitorOracle Siebel UI Framework+6 more
Timeline
PublishedJun 26
Latest updateFeb 9

Description

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

NVDapache/tomcat8.5.08.5.55+3
CVEListV5apache/apache_tomcat10.0.0-M1 to 10.0.0-M5, 8.5.0 to 8.5.55, 9.0.0.M1 to 9.0.35+2
NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 20.04

🔴Vulnerability Details

5
OSV
Uncontrolled Resource Consumption in Apache Tomcat2022-02-09
GHSA
Uncontrolled Resource Consumption in Apache Tomcat2022-02-09
OSV
tomcat9 vulnerabilities2020-10-21
CVEList
CVE-2020-11996: A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 102020-06-26
OSV
CVE-2020-11996: A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 102020-06-26

📋Vendor Advisories

4
Ubuntu
Tomcat vulnerabilities2020-10-21
Red Hat
tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS2020-06-25
Debian
CVE-2020-11996: tomcat9 - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 ...2020
Apache
Apache tomcat: CVE-2020-11996

💬Community

1
Bugzilla
CVE-2020-11996 tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS2020-06-26
CVE-2020-11996 — Uncontrolled Resource Consumption | cvebase