Your submission was sent successfully! Close

CVE-2020-17527

Published: 3 December 2020

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat8
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
tomcat9
Launchpad, Ubuntu, Debian
bionic
Released (9.0.16-3ubuntu0.18.04.2)
focal
Released (9.0.31-1ubuntu0.2)
groovy Ignored
(reached end-of-life)
hirsute Not vulnerable

impish Not vulnerable

jammy Not vulnerable

precise Does not exist

trusty Does not exist

upstream
Released (9.0.40-1)
xenial Does not exist