CVE-2020-11996 (High) detected in tomcat-embed-core-9.0.35.jar #38
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
|
resolved |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2020-11996 - High Severity Vulnerability
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: activity-based-security-framework/easy-abac-demo/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.35/tomcat-embed-core-9.0.35.jar
Dependency Hierarchy:
Found in HEAD commit: cb9aa1f1165586d400b4da241ef8a658d18f653a
Found in base branch: master
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
Publish Date: 2020-06-26
URL: CVE-2020-11996
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E,http://tomcat.apache.org/security-10.html
Release Date: 2020-06-26
Fix Resolution: org.apache.tomcat:tomcat-coyote:10.0.0-M6,9.0.36,8.5.56,org.apache.tomcat.embed:org.apache.tomcat.embed:10.0.0-M6,9.0.36,8.5.56
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: