CVE-2020-13935 - Vulnerability Details

- tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

Description

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Published: 2020-07-14

Score: 7.5 High

EPSS: 91.7% High

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Apache Tomcat

affected

Version	Status	Constraints
`Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, 7.0.27 to 7.0.104`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:10.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:10.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:10.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:10.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:10.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:10.0.0:milestone6::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 3 [-]

cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::

Configuration 6 [-]

OR	cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:::::::*
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:::::::*
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7::::::
	cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8::::::

Configuration 7 [-]

OR	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:blockchain_platform::::::::
	cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::*
	cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:::::::*
	cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:::::::*
	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:siebel_ui_framework::::::::
	cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::*
	cpe:2.3:a:oracle:workload_manager:18c:::::::*
	cpe:2.3:a:oracle:workload_manager:19c:::::::*

Package	CPE	Advisory	Released Date
EAP 6.4.24 release
	cpe:/a:redhat:jboss_enterprise_application_platform:6	RHSA-2022:5458	2022-06-30T00:00:00Z
Red Hat Enterprise Linux 7
tomcat-0:7.0.76-15.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:4004	2020-09-29T00:00:00Z
Red Hat Fuse 7.9
tomcat	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:3140	2021-08-11T00:00:00Z
Red Hat JBoss Enterprise Application Platform 6.4 async
jbossweb	cpe:/a:redhat:jboss_enterprise_application_platform:6.4	RHSA-2020:3382	2020-08-10T00:00:00Z
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
jbossweb-0:7.5.31-2.Final_redhat_2.1.ep6.el5	cpe:/a:redhat:jboss_enterprise_application_platform:6::el5	RHSA-2020:3383	2020-08-10T00:00:00Z
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
jbossweb-0:7.5.31-2.Final_redhat_2.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2020:3383	2020-08-10T00:00:00Z
jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el6	cpe:/a:redhat:jboss_enterprise_application_platform:6::el6	RHSA-2022:5459	2022-06-30T00:00:00Z
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
jbossweb-0:7.5.31-2.Final_redhat_2.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2020:3383	2020-08-10T00:00:00Z
jboss-as-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-appclient-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-bundles-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-cli-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-client-all-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-clustering-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-cmp-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-connector-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-controller-client-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-core-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-core-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-deployment-repository-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-deployment-scanner-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-domain-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-domain-http-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-domain-management-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-ee-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-ee-deployment-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-ejb3-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-embedded-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-host-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jacorb-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-javadocs-0:7.5.24-1.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jaxr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jaxrs-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jdr-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jpa-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jsf-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-jsr77-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-logging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-mail-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-management-client-content-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-messaging-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-modcluster-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-modules-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-naming-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-network-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-osgi-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-osgi-configadmin-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-osgi-service-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-picketlink-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-platform-mbean-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-pojo-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-process-controller-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-product-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-protocol-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-remoting-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-sar-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-security-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-server-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-standalone-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-system-jmx-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-threads-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-transactions-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-version-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-web-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-webservices-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossas-welcome-content-eap-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-weld-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jboss-as-xts-0:7.5.24-2.Final_redhat_00001.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossts-1:4.17.45-2.Final_redhat_2.1.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
jbossweb-0:7.5.32-2.Final_redhat_1.2.ep6.el7	cpe:/a:redhat:jboss_enterprise_application_platform:6::el7	RHSA-2022:5460	2022-06-30T00:00:00Z
Red Hat JBoss Web Server 3.1
tomcat	cpe:/a:redhat:jboss_enterprise_web_server:3.1	RHSA-2020:3305	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 3 for RHEL 6
tomcat7-0:7.0.70-41.ep7.el6	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6	RHSA-2020:3303	2020-08-04T00:00:00Z
tomcat8-0:8.0.36-45.ep7.el6	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6	RHSA-2020:3303	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 3 for RHEL 7
tomcat7-0:7.0.70-41.ep7.el7	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7	RHSA-2020:3303	2020-08-04T00:00:00Z
tomcat8-0:8.0.36-45.ep7.el7	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7	RHSA-2020:3303	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 5.3 on RHEL 6
jws5-tomcat-0:9.0.30-5.redhat_6.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6	RHSA-2020:3306	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 5.3 on RHEL 7
jws5-tomcat-0:9.0.30-5.redhat_6.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7	RHSA-2020:3306	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 5.3 on RHEL 8
jws5-tomcat-0:9.0.30-5.redhat_6.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8	RHSA-2020:3306	2020-08-04T00:00:00Z
Red Hat JBoss Web Server (JWS) 5.3
tomcat	cpe:/a:redhat:jboss_enterprise_web_server:5.3	RHSA-2020:3308	2020-08-04T00:00:00Z
Red Hat Runtimes Spring Boot 2.2.6
tomcat	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2020:3806	2020-09-23T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-2286-1	tomcat8 security update
Github GHSA	GHSA-m7jv-hq7h-mq7c	Infinite Loop in Apache Tomcat
Ubuntu USN	USN-4448-1	Tomcat vulnerabilities
Ubuntu USN	USN-4596-1	Tomcat vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.91745.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E
http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37
https://kc.mcafee.com/corporate/index?page=content&id=SB10332
https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html
https://nvd.nist.gov/vuln/detail/CVE-2020-13935
https://security.netapp.com/advisory/ntap-20200724-0003/
https://usn.ubuntu.com/4448-1/
https://usn.ubuntu.com/4596-1/
https://www.cve.org/CVERecord?id=CVE-2020-13935
https://www.debian.org/security/2020/dsa-4727
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpuoct2021.html

History

No history.

Subscriptions

Apache Tomcat

Canonical Ubuntu Linux

Debian Debian Linux

Mcafee Epolicy Orchestrator

Netapp Oncommand System Manager

Opensuse Leap

Oracle Agile Engineering Data Management Agile Plm Blockchain Platform Commerce Guided Search Communications Cloud Native Core Policy Communications Instant Messaging Server Fmw Platform Instantis Enterprisetrack Managed File Transfer Mysql Enterprise Monitor Siebel Ui Framework Workload Manager

Redhat Enterprise Linux Jboss Enterprise Application Platform Jboss Enterprise Web Server Jboss Fuse Openshift Application Runtimes

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2020-07-14T15:00:21.000Z

Updated: 2024-08-04T12:32:14.307Z

Reserved: 2020-06-08T00:00:00.000Z

Link: CVE-2020-13935

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-07-14T15:15:11.070

Modified: 2024-11-21T05:02:10.907

Link: CVE-2020-13935

Redhat

Severity : Important

Publid Date: 2020-07-15T00:00:00Z

Links: CVE-2020-13935 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object