This repository has been archived by the owner on Jan 12, 2024. It is now read-only.
CVE-2020-11996 (High) detected in tomcat-embed-core-9.0.27.jar - autoclosed #19
Labels
security vulnerability
Security vulnerability detected by WhiteSource
CVE-2020-11996 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-9.0.27.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: remote-device-client/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.27/tomcat-embed-core-9.0.27.jar
Dependency Hierarchy:
Found in HEAD commit: 772c0e629e3808cf31104e97f73dbd1621b76476
Found in base branch: master
Vulnerability Details
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
Publish Date: 2020-06-26
URL: CVE-2020-11996
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E,http://tomcat.apache.org/security-10.html
Release Date: 2020-06-26
Fix Resolution: org.apache.tomcat:tomcat-coyote:10.0.0-M6,9.0.36,8.5.56,org.apache.tomcat.embed:org.apache.tomcat.embed:10.0.0-M6,9.0.36,8.5.56
The text was updated successfully, but these errors were encountered: