What is CVE-2020-13943?

CVE-2020-13943 is a vulnerability in Apache Tomcat. Published 2020-10-12.

Is CVE-2020-13943 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2020-13943

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible…

EPSS: 0.573 (98.9th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Tomcat — versions Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37, 8.5.0 to 8.5.57

Public proof-of-concept exploits

References

lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514… (x_refsource_MISC)
[debian-lts-announce] 20201014 [SECURITY] [DLA 2407-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
openSUSE-SU-2020:1799 (vendor-advisory, x_refsource_SUSE)
openSUSE-SU-2020:1842 (vendor-advisory, x_refsource_SUSE)
DSA-4835 (vendor-advisory, x_refsource_DEBIAN)
www.oracle.com/security-alerts/cpuApr2021.html (x_refsource_MISC)
security.netapp.com/advisory/ntap-20201016-0007/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2020-13943?: CVE-2020-13943 is a vulnerability in Apache Tomcat. Published 2020-10-12.
Is CVE-2020-13943 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.