PT-2020-5486 · Apache+4 · Apache Tomcat+4

Published

2020-07-05

·

Updated

2026-03-26

·

CVE-2020-13934

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.1 through 8.5.56 Apache Tomcat versions 9.0.0.M5 through 9.0.36 Apache Tomcat versions 10.0.0-M1 through 10.0.0-M6
Description The issue is related to an h2c direct connection to Apache Tomcat, where the HTTP/1.1 processor is not released after an upgrade to HTTP/2. This can lead to an OutOfMemoryException if a sufficient number of such requests are made, resulting in a denial of service. The vulnerability can be exploited by a remote attacker.
Recommendations For Apache Tomcat versions 8.5.1 through 8.5.56, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0.M5 through 9.0.36, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.0.0-M1 through 10.0.0-M6, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the number of h2c direct connections to prevent an OutOfMemoryException.

Exploit

Fix

DoS

Memory Leak

Buffer Overflow

Resource Exhaustion

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-401CWE-119CWE-400CWE-476

Related Identifiers

ALT-PU-2020-2892
ALT-PU-2020-3213
ALT-PU-2021-2858
BDU:2021-00783
BIT-TOMCAT-2020-13934
CVE-2020-13934
DLA-2286-1
DSA-4727-1
GHSA-VF77-8H7G-GGHP
MGASA-2020-0331
OPENSUSE-SU-2020:1102-1
OPENSUSE-SU-2020:1111-1
OPENSUSE-SU-2020_1102-1
OPENSUSE-SU-2020_1111-1
OPENSUSE-SU-2024:12103-1
OPENSUSE-SU-2024:13441-1
RHSA-2020:3306
SUSE-SU-2020:2037-1
SUSE-SU-2020:2045-1
SUSE-SU-2020:2046-1
SUSE-SU-2020:2047-1
SUSE-SU-2026:1058-1
USN-4596-1

Affected Products

Alt Linux
Apache Tomcat
Linuxmint
Suse
Ubuntu