What is CVE-2020-13934?

CVE-2020-13934 is a vulnerability in Apache Tomcat. Published 2020-07-14.

Is CVE-2020-13934 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2020-13934

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryE…

EPSS: 0.641 (99.1th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Tomcat — versions Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36, 8.5.1 to 8.5.56

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652e… (x_refsource_MISC)
DSA-4727 (vendor-advisory, x_refsource_DEBIAN)
[debian-lts-announce] 20200722 [SECURITY] [DLA 2286-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
openSUSE-SU-2020:1102 (vendor-advisory, x_refsource_SUSE)
openSUSE-SU-2020:1111 (vendor-advisory, x_refsource_SUSE)
[tomcat-dev] 20200818 [Bug 64671] HTTP/2 Stream.receivedData method throwing continuous NullPointerException in the logs (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
security.netapp.com/advisory/ntap-20200724-0003/ (x_refsource_CONFIRM)
USN-4596-1 (vendor-advisory, x_refsource_UBUNTU)
www.oracle.com/security-alerts/cpujan2021.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-13934?: CVE-2020-13934 is a vulnerability in Apache Tomcat. Published 2020-07-14.
Is CVE-2020-13934 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.