| Vulnerability Name | Information Disclosure Vulnerability in Apache Tomcat |
| Severity Rating: | HIGH |
| Software Affected |
|
Overview
A vulnerability has been reported in Apache Tomcat which could allow an attacker to disclose sensitive information of the target system.
Description
This vulnerability exists in Apache Tomcat due to surpassing of the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol) by the HTTP/2 client. An attacker could exploit this vulnerability by sending a specially-crafted HTTP request.
Successful exploitation of this vulnerability could allow the attacker to view responses for unexpected resources leading to further attacks.
Solution
Upgrade to latest Apache Tomcat version:
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/security-10.html
Vendor Information
Apache Tomcat
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/security-10.html
References
Apache Tomcat
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/security-10.html
RedHat
https://access.redhat.com/security/cve/cve-2020-13943
IBM X-Force Exchange
https://exchange.xforce.ibmcloud.com/vulnerabilities/189643
CVE Name
CVE-2020-13943
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Note: Any unusual activity or attack should be reported immediately at incident@cert-in.org.in, cert.ksitm@kerala.gov.in with the relevant logs for analysis and taking further appropriate actions.