A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.37116.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Tomcat
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Netapp
  • Oncommand System Manager
Opensuse
  • Leap
Oracle
  • Mysql Enterprise Monitor
  • Siebel Ui Framework
  • Workload Manager
Redhat
  • Jboss Enterprise Web Server
  • Jboss Fuse
  • Openshift Application Runtimes

Configuration 1 [-]

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*
cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 5 [-]

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 6 [-]

OR cpe:2.3:a:netapp:oncommand_system_manager:3.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_system_manager:3.1.3:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Fuse 7.9
tomcat cpe:/a:redhat:jboss_fuse:7 RHSA-2021:3140 2021-08-11T00:00:00Z
Red Hat JBoss Web Server 5
tomcat cpe:/a:redhat:jboss_enterprise_web_server:5.4 RHSA-2020:5173 2020-11-23T00:00:00Z
Red Hat JBoss Web Server 5.4 on RHEL 6
jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-mod_cluster-0:1.4.2-7.Final_redhat_00002.2.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-tomcat-0:9.0.36-6.redhat_5.2.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-tomcat-native-0:1.2.25-2.redhat_2.el6jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6 RHSA-2020:5170 2020-11-23T00:00:00Z
Red Hat JBoss Web Server 5.4 on RHEL 7
jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-mod_cluster-0:1.4.2-7.Final_redhat_00002.2.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-tomcat-0:9.0.36-6.redhat_5.2.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-tomcat-native-0:1.2.25-2.redhat_2.el7jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7 RHSA-2020:5170 2020-11-23T00:00:00Z
Red Hat JBoss Web Server 5.4 on RHEL 8
jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-mod_cluster-0:1.4.2-7.Final_redhat_00002.2.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-tomcat-0:9.0.36-6.redhat_5.2.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8 RHSA-2020:5170 2020-11-23T00:00:00Z
jws5-tomcat-native-0:1.2.25-2.redhat_2.el8jws cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8 RHSA-2020:5170 2020-11-23T00:00:00Z
Red Hat support for Spring Boot 2.3.6
tomcat cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2021:0292 2021-02-02T00:00:00Z
Text-Only RHOAR
tomcat cpe:/a:redhat:openshift_application_runtimes:1.0 RHSA-2020:5388 2021-01-07T00:00:00Z

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-2279-1 tomcat8 security update
Github GHSA Github GHSA GHSA-53hp-jpwq-2jgq Uncontrolled Resource Consumption in Apache Tomcat
Ubuntu USN Ubuntu USN USN-4596-1 Tomcat vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00064.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00072.html cve-icon cve-icon
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E cve-icon
http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M6 cve-icon
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56 cve-icon
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 cve-icon
https://lists.apache.org/thread.html/r2529016c311ce9485e6f173446d469600fdfbb94dccadfcd9dfdac79%40%3Cusers.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3ea96d8f36dd404acce83df8aeb22a9e807d6c13ca9c5dec72f872cd%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r5a4f80a6acc6607d61dae424b643b594c6188dd4e1eff04705c10db2%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6c29801370a36c1a5159679269777ad0c73276d3015b8bbefea66e5c%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r74f5a8204efe574cbfcd95b2a16236fe95beb45c4d9fee3dc789dca9%40%3Ccommits.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r8f3d416c193bc9384a8a7dd368623d441f5fcaff1057115008100561%40%3Ccommits.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r93ca628ef3a4530dfe5ac49fddc795f0920a4b2a408b57a30926a42b%40%3Ccommits.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9ad911fe49450ed9405827af0e7a74104041081ff91864b1f2546bbd%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb4ee49ecc4c59620ffd5e66e84a17e526c2c3cfa95d0cd682d90d338%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb820f1a2a02bf07414be12c653c2ab5321fd87b9bf6c5e635c53ff4b%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc80b96b4b96618b2b7461cb90664a428cfd6605eea9f74e51b792542%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rea65d6ef2e45dd1c45faae83922042732866c7b88fa109b76c83db52%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ref0339792ac6dac1dba83c071a727ad72380899bde60f6aaad4031b9%40%3Cnotifications.ofbiz.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2020-11996 cve-icon
https://security.netapp.com/advisory/ntap-20200709-0002/ cve-icon cve-icon
https://usn.ubuntu.com/4596-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2020-11996 cve-icon
https://www.debian.org/security/2020/dsa-4727 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2021.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2020.html cve-icon cve-icon
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.37402}

 epss

{'score': 0.37363}
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T11:48:57.318Z

Reserved: 2020-04-21T00:00:00

Link: CVE-2020-11996

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-06-26T17:15:10.153

Modified: 2024-11-21T04:59:04.687

Link: CVE-2020-11996

cve-icon Redhat

Severity : Moderate

Publid Date: 2020-06-25T00:00:00Z

Links: CVE-2020-11996 - Bugzilla

cve-icon OpenCVE Enrichment

No data.