Your submission was sent successfully! Close

CVE-2020-13935

Published: 14 July 2020

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Ignored
(end of ESM support, was needs-triage)
trusty Needs triage

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
tomcat7
Launchpad, Ubuntu, Debian
bionic Needs triage

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
Patches:
upstream: https://github.com/apache/tomcat/commit/f9f75c14678b68633f79030ddf4ff827f014cc84
upstream: https://github.com/apache/tomcat/commit/4c04982870d6e730c38e21e58fb653b7cf723784


tomcat8
Launchpad, Ubuntu, Debian
bionic Needs triage

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial
Released (8.0.32-1ubuntu1.13)
Patches:


upstream: https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5

tomcat9
Launchpad, Ubuntu, Debian
bionic Needs triage

eoan Ignored
(reached end-of-life)
focal
Released (9.0.31-1ubuntu0.1)
groovy Not vulnerable
(9.0.37-3)
hirsute Not vulnerable
(9.0.37-3)
impish Not vulnerable
(9.0.37-3)
jammy Not vulnerable
(9.0.37-3)
kinetic Not vulnerable
(9.0.37-3)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Patches:



upstream: https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d