7.5

CVE-2020-13934

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

Data is provided by the National Vulnerability Database (NVD)
ApacheTomcat Version >= 8.5.1 <= 8.5.56
ApacheTomcat Version >= 9.0.1 <= 9.0.36
ApacheTomcat Version9.0.0 Updatemilestone10
ApacheTomcat Version9.0.0 Updatemilestone11
ApacheTomcat Version9.0.0 Updatemilestone12
ApacheTomcat Version9.0.0 Updatemilestone13
ApacheTomcat Version9.0.0 Updatemilestone14
ApacheTomcat Version9.0.0 Updatemilestone15
ApacheTomcat Version9.0.0 Updatemilestone16
ApacheTomcat Version9.0.0 Updatemilestone17
ApacheTomcat Version9.0.0 Updatemilestone18
ApacheTomcat Version9.0.0 Updatemilestone19
ApacheTomcat Version9.0.0 Updatemilestone20
ApacheTomcat Version9.0.0 Updatemilestone21
ApacheTomcat Version9.0.0 Updatemilestone22
ApacheTomcat Version9.0.0 Updatemilestone23
ApacheTomcat Version9.0.0 Updatemilestone24
ApacheTomcat Version9.0.0 Updatemilestone25
ApacheTomcat Version9.0.0 Updatemilestone26
ApacheTomcat Version9.0.0 Updatemilestone27
ApacheTomcat Version9.0.0 Updatemilestone5
ApacheTomcat Version9.0.0 Updatemilestone6
ApacheTomcat Version9.0.0 Updatemilestone7
ApacheTomcat Version9.0.0 Updatemilestone8
ApacheTomcat Version9.0.0 Updatemilestone9
ApacheTomcat Version10.0.0 Updatemilestone1
ApacheTomcat Version10.0.0 Updatemilestone2
ApacheTomcat Version10.0.0 Updatemilestone3
ApacheTomcat Version10.0.0 Updatemilestone4
ApacheTomcat Version10.0.0 Updatemilestone5
ApacheTomcat Version10.0.0 Updatemilestone6
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
NetappOncommand System Manager Version >= 3.0.0 <= 3.1.3
OpensuseLeap Version15.1
OpensuseLeap Version15.2
CanonicalUbuntu Linux Version20.04 SwEditionlts
OracleAgile Plm Version9.3.3
OracleAgile Plm Version9.3.5
OracleAgile Plm Version9.3.6
OracleFmw Platform Version12.2.1.3.0
OracleFmw Platform Version12.2.1.4.0
OracleManaged File Transfer Version12.2.1.3.0
OracleManaged File Transfer Version12.2.1.4.0
OracleMysql Enterprise Monitor Version <= 8.0.21
OracleSiebel Ui Framework Version <= 20.12
OracleWorkload Manager Version12.2.0.1
OracleWorkload Manager Version18c
OracleWorkload Manager Version19c
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 23.38% 0.958
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://usn.ubuntu.com/4596-1/
Third Party Advisory