Tomcat Vulnerabilty CVE-2020-13943
search cancel

Tomcat Vulnerabilty CVE-2020-13943


Article ID: 202111


Updated On:


CA Spectrum CA eHealth


Apache Tomcat 8.5.x < 8.5.58 / 9.0.x < 9.0.38 HTTP/2 Request Mix-Up

The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.58 or 9.0.x prior to 9.0.38. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This can lead to users seeing responses for unexpected resources.





Release : 20.2

Component : Spectrum Core / SpectroSERVER


In order for this vulnerability to be confirmed, HTTP2 would need to be used like follows:


An HTTP/2 enabled connector would have a configuration as follows
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"maxThreads="150" SSLEnabled="true" >
 <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
 <Certificate certificateKeyFile="conf/key.pem"
 certificateChainFile="conf/chain.pem"type="RSA" />


HTTP2 is not used in our Tomcat configuration.
Therefore, Spectrum is not vulnerable to this CVE.

Spectrum Connector (does not have the upgrade protocol, so it is not affected) ex