What is CVE-2020-13935?

CVE-2020-13935 is a vulnerability in Apache Tomcat. Published 2020-07-14.

Is CVE-2020-13935 known to be exploited?

53 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2020-13935

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple reques…

EPSS: 0.922 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Tomcat — versions Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, 7.0.27 to 7.0.104

Public proof-of-concept exploits

References

lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b8… (x_refsource_MISC)
DSA-4727 (vendor-advisory, x_refsource_DEBIAN)
[debian-lts-announce] 20200722 [SECURITY] [DLA 2286-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
openSUSE-SU-2020:1102 (vendor-advisory, x_refsource_SUSE)
openSUSE-SU-2020:1111 (vendor-advisory, x_refsource_SUSE)
USN-4448-1 (vendor-advisory, x_refsource_UBUNTU)
www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
security.netapp.com/advisory/ntap-20200724-0003/ (x_refsource_CONFIRM)
kc.mcafee.com/corporate/index (x_refsource_CONFIRM)
USN-4596-1 (vendor-advisory, x_refsource_UBUNTU)

Frequently asked questions

What is CVE-2020-13935?: CVE-2020-13935 is a vulnerability in Apache Tomcat. Published 2020-07-14.
Is CVE-2020-13935 known to be exploited?: 53 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.