Apache Tomcat HTTP/2 Request header mix-up vulnerability [CVE-2020-17527]

December 8, 2020 Duncan 2640 Views 0 Comments Apache Tomcat, CVE-2020-17527, Request header mix-up vulnerability 0 min read

CVE number – CVE-2020-17527

While investigating Bug 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Versions Affected:

Apache Tomcat 10.0.0-M1 to 10.0.0-M9

Apache Tomcat 9.0.0.M5 to 9.0.39

Apache Tomcat 8.5.1 to 8.5.59

Mitigation: –

Upgrade to Apache Tomcat 10.0.0-M10 or later

Upgrade to Apache Tomcat 9.0.40 or later

Upgrade to Apache Tomcat 8.5.60 or later

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Apache Tomcat HTTP/2 Request header mix-up vulnerability [CVE-2020-17527]

Like this:

Related Posts

Duncan

Leave a ReplyCancel reply

Share this:

Like this:

Related Posts

Duncan

Leave a ReplyCancel reply