You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2021/01/19 18:10:53 UTC
Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2
Request header mix-up
Please note the updated affected version information below.
Mark
On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39
This should be Apache Tomcat 9.0.0.M1 to 9.0.39
> Apache Tomcat 8.5.1 to 8.5.59
This should be Apache Tomcat 8.5.0 to 8.5.59
>
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
> re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
>
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>