search cancel

Tomcat Vulnerabilty CVE-2020-13943


Article ID: 202111


Updated On:


CA Spectrum CA eHealth


Apache Tomcat 8.5.x < 8.5.58 / 9.0.x < 9.0.38 HTTP/2 Request Mix-Up

The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.58 or 9.0.x prior to 9.0.38. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This can lead to users seeing responses for unexpected resources.





In order for this vulnerability to be confirmed, HTTP2 would need to be used like follows:


An HTTP/2 enabled connector would have a configuration as follows
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"maxThreads="150" SSLEnabled="true" >
 <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
 <Certificate certificateKeyFile="conf/key.pem"
 certificateChainFile="conf/chain.pem"type="RSA" />


Release : 20.2

Component : Spectrum Core / SpectroSERVER


HTTP2 is not used in our Tomcat configuration.
Therefore, Spectrum is not vulnerable to this CVE.

Spectrum Connector (does not have the upgrade protocol, so it is not affected) ex