1. Home
  2. CVE Database
  3. CVE-2020-11996
HIGH · 7.5

CVE-2020-11996

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient n...

Vulnerability Description

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
ApacheTomcat>= 8.5.0, <= 8.5.55
CanonicalUbuntu Linux20.04
OracleMysql Enterprise Monitor<= 8.0.21
OracleSiebel Ui Framework<= 20.12
OracleWorkload Manager12.2.0.1
OpensuseLeap15.1
DebianDebian Linux9.0
NetappOncommand System Manager3.0

References

FAQ

What is CVE-2020-11996?

CVE-2020-11996 is a vulnerability with a CVSS score of 7.5 (HIGH). A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient n...

How severe is CVE-2020-11996?

CVE-2020-11996 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-11996?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Canonical Ubuntu Linux, Oracle Mysql Enterprise Monitor, Oracle Siebel Ui Framework, Oracle Workload Manager.