If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.09572}

epss

{'score': 0.12123}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T12:32:14.470Z

Reserved: 2020-06-08T00:00:00

Link: CVE-2020-13943

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-10-12T14:15:12.183

Modified: 2024-11-21T05:02:11.967

Link: CVE-2020-13943

cve-icon Redhat

Severity : Moderate

Publid Date: 2020-10-12T00:00:00Z

Links: CVE-2020-13943 - Bugzilla

cve-icon OpenCVE Enrichment

No data.