Data Processing Errors

CVE-2020-13943

Medium

4.3/10

Summary

If an HTTP/2 client connecting to Apache Tomcat between 10.0.0-M1 and 10.0.0-M7, between 9.0.0.M1 and 9.0.37, and between 8.5.0 and 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-19 - Data Processing Errors

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

References

Advisory
Mail Thread
Advisory

Advisory Timeline

Published Oct 12, 2020

Data Processing Errors

CVE-2020-13943

Summary

CWE-19 - Data Processing Errors

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS