Apache Tomcat 8.5.x < 8.5.58 / 9.0.x < 9.0.38 HTTP/2 Request Mix-Up
The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.58 or 9.0.x prior to 9.0.38. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This can lead to users seeing responses for unexpected resources.
In order for this vulnerability to be confirmed, HTTP2 would need to be used like follows:
<Connector port="443" protocol="org.apache.coyote.
http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" >
Release : 20.2
Component : Spectrum Core / SpectroSERVER
HTTP2 is not used in our Tomcat configuration.
Therefore, Spectrum is not vulnerable to this CVE.
Spectrum Connector (does not have the upgrade protocol, so it is not affected) ex