What is CVE-2020-11996?

CVE-2020-11996 is a vulnerability in Apache Tomcat. Published 2020-06-26.

Is CVE-2020-11996 known to be exploited?

15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2020-11996

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on con…

EPSS: 0.451 (97.7th percentile) — read the EPSS interpretation.

Affected products

Apache Tomcat — versions 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35, 8.5.0 to 8.5.55

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204… (x_refsource_CONFIRM)
[ofbiz-notifications] 20200628 [jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) (mailing-list, x_refsource_MLIST)
[ofbiz-notifications] 20200628 [jira] [Closed] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) (mailing-list, x_refsource_MLIST)
[ofbiz-notifications] 20200628 [jira] [Created] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) (mailing-list, x_refsource_MLIST)
[ofbiz-notifications] 20200628 [jira] [Created] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) (mailing-list, x_refsource_MLIST)
[ofbiz-commits] 20200628 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrades Tomcat to 9.0.36 due to CVE-2020-11996 (OFBIZ-11848) (mailing-list, x_refsource_MLIST)
[ofbiz-notifications] 20200628 [jira] [Closed] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) (mailing-list, x_refsource_MLIST)
[ofbiz-notifications] 20200628 [jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) (mailing-list, x_refsource_MLIST)
[ofbiz-commits] 20200628 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrades Tomcat to 9.0.36 due to CVE-2020-11996 (OFBIZ-11848) (mailing-list, x_refsource_MLIST)
[ofbiz-commits] 20200628 [ofbiz-framework] branch trunk updated: Fixed: Upgrades Tomcat to 9.0.36 due to CVE-2020-11996 (OFBIZ-11848) (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2020-11996?: CVE-2020-11996 is a vulnerability in Apache Tomcat. Published 2020-06-26.
Is CVE-2020-11996 known to be exploited?: 15 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.