Versio.io

CVE-2020-17527

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 03-12-2020 08:15
Last modified: - 12-05-2022 04:47
Total changes: - 13

Description

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Low
Attack complexity
Network
Attack vector
None
Availability
High
Confidentiality
None
Integrity
None
Privileges required
Unchanged
Scope
None
User interaction
7.5
Base score
3.9
3.6
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone10
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone11
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone12
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone13
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone14
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone15
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone16
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone17
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone18
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone19
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone20
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone21
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone22
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone23
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone24
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone25
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone26
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone27
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone5
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone6
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone7
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone8
vendor=apache AND product=Tomcat AND version=9.0.0 AND update=milestone9
vendor=apache AND product=Tomcat AND version=9.0.36
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone1
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone2
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone3
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone4
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone5
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone6
vendor=apache AND product=Tomcat AND versionEndIncluding=8.5.59 AND versionStartIncluding=8.5.1
vendor=apache AND product=Tomcat AND versionEndIncluding=9.0.35 AND versionStartIncluding=9.0.1
vendor=apache AND product=Tomcat AND version=9.0.35-3.39.1
vendor=apache AND product=Tomcat AND version=9.0.35-3.57.3
vendor=apache AND product=Tomcat AND version=9.0.37
vendor=apache AND product=Tomcat AND version=9.0.38
vendor=apache AND product=Tomcat AND version=9.0.39
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone7
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone8
vendor=apache AND product=Tomcat AND version=10.0.0 AND update=milestone9
OR
vendor=netapp AND product=oncommand_system_manager AND versionEndIncluding=3.1.3 AND versionStartIncluding=3.0.0
vendor=netapp AND product=element_plug-in AND version=- AND target_software=vcenter_server
OR
vendor=Debian AND product=debian_linux AND version=9.0
vendor=Debian AND product=debian_linux AND version=10.0
OR
vendor=oracle AND product=instantis_enterprisetrack AND version=17.1
vendor=oracle AND product=instantis_enterprisetrack AND version=17.2
vendor=oracle AND product=instantis_enterprisetrack AND version=17.3
vendor=oracle AND product=sd-wan_edge AND version=9.0
vendor=oracle AND product=workload_manager AND version=18c
vendor=oracle AND product=workload_manager AND version=19c
vendor=oracle AND product=mysql_enterprise_monitor AND versionEndExcluding=8.0.23
vendor=oracle AND product=communications_cloud_native_core_binding_support_function AND version=1.10.0
vendor=oracle AND product=communications_cloud_native_core_policy AND version=1.14.0
vendor=oracle AND product=communications_instant_messaging_server AND version=10.0.1.5.0
vendor=oracle AND product=blockchain_platform AND versionEndExcluding=21.1.2
 

Reference

 


Keywords

NVD

 

CVE-2020-17527

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.