PT-2020-5408 · Apache+4 · Apache Tomcat+4

Published

2020-06-07

·

Updated

2025-09-29

·

CVE-2020-11996

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.55 Apache Tomcat versions 9.0.0.M1 through 9.0.35 Apache Tomcat versions 10.0.0-M1 through 10.0.0-M5
Description The issue is related to an uncontrolled resource consumption in the Apache Tomcat server. It can be exploited by a remote attacker using a specially crafted sequence of HTTP/2 requests, potentially causing high CPU usage for several seconds. If a sufficient number of such requests are made on concurrent HTTP/2 connections, the server could become unresponsive.
Recommendations For Apache Tomcat versions 8.5.0 through 8.5.55, update to a version that includes a fix for this issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.35, update to a version that includes a fix for this issue. For Apache Tomcat versions 10.0.0-M1 through 10.0.0-M5, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting the number of concurrent HTTP/2 connections to minimize the risk of exploitation.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-400

Related Identifiers

ALSA-2025_16880
ALT-PU-2020-2892
ALT-PU-2020-3213
ALT-PU-2021-2858
BDU:2021-00506
BIT-TOMCAT-2020-11996
CVE-2020-11996
DLA-2279-1
DSA-4727-1
GHSA-53HP-JPWQ-2JGQ
MGASA-2020-0331
OPENSUSE-SU-2020:1051-1
OPENSUSE-SU-2020:1063-1
OPENSUSE-SU-2020_1051-1
OPENSUSE-SU-2020_1063-1
OPENSUSE-SU-2024:11468-1
OPENSUSE-SU-2024:13441-1
RHSA-2020:5170
SUSE-SU-2020:1841-1
SUSE-SU-2020:1962-1
SUSE-SU-2020:1963-1
SUSE-SU-2020:1983-1
SUSE-SU-2020_1841-1
SUSE-SU-2020_1962-1
SUSE-SU-2020_1963-1
SUSE-SU-2020_1983-1
USN-4596-1

Affected Products

Alt Linux
Apache Tomcat
Linuxmint
Suse
Ubuntu