CVE-2020-13934 — HIGH (7.5)

Q: How severe is CVE-2020-13934?

CVE-2020-13934 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-13934?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Netapp Oncommand System Manager, Opensuse Leap, Canonical Ubuntu Linux.

Vulnerability Description

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 8.5.1, <= 8.5.56
Debian	Debian Linux	9.0
Netapp	Oncommand System Manager	>= 3.0.0, <= 3.1.3
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	20.04
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Agile Plm	9.3.3
Oracle	Communications Instant Messaging Server	10.0.1.5.0
Oracle	Fmw Platform	12.2.1.3.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Managed File Transfer	12.2.1.3.0
Oracle	Mysql Enterprise Monitor	<= 8.0.21
Oracle	Siebel Ui Framework	<= 20.12
Oracle	Workload Manager	12.2.0.1

Related Weaknesses (CWE)

CWE-401 CWE-476

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.htmlMailing ListThird Party Advisory
https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9Mailing ListRelease NotesVendor Advisory
https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a9
https://lists.debian.org/debian-lts-announce/2020/07/msg00017.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200724-0003/Third Party Advisory
https://usn.ubuntu.com/4596-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4727Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-13934?

CVE-2020-13934 is a vulnerability with a CVSS score of 7.5 (HIGH). An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of s...

How severe is CVE-2020-13934?

CVE-2020-13934 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-13934?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Netapp Oncommand System Manager, Opensuse Leap, Canonical Ubuntu Linux.