
We found results for “”
CVE-2020-17527
Good to know:


Date: December 3, 2020
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
Language: Java
Severity Score
Related Resources (50)
Severity Score
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200Top Fix

Upgrade Version
Upgrade to version org.optaweb.employeerostering:employee-rostering-backend:no_fix;org.apache.tomcat.embed:tomcat-embed-core:10.0.0-M10;org.apache.tomcat.embed:tomcat-embed-core:8.5.60;org.apache.tomcat.embed:tomcat-embed-core:9.0.40;org.optaweb.employeerostering:optaweb-employee-rostering-backend:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-backend:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-backend:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-backend:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-backend:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-standalone:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-standalone:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-standalone:no_fix;org.optaweb.employeerostering:optaweb-employee-rostering-standalone:no_fix;org.kie.kogito:dmn-pmml-springboot-example:1.6.0.Final;org.kie.kogito.examples:ruleunit-springboot-example:1.6.0.Final;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.optaweb.vehiclerouting:optaweb-vehicle-routing-backend:no_fix;org.kie.kogito:dmn-springboot-example:1.6.0.Final;org.apache.tomcat:tomcat-coyote:9.0.40;org.apache.tomcat:tomcat-coyote:8.5.60;org.apache.tomcat:tomcat-coyote:10.0.0-M10;org.kie.kogito:pmml-springboot-example:1.6.0.Final;org.kie.kogito:dmn-listener-springboot:1.6.0.Final;org.kie:jbpm-spring-boot-sample-basic:7.60.0.Final;org.kie.kogito.examples:dmn-drools-springboot-metrics:1.6.0.Final
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |
CVSS v2
Base Score: |
|
---|---|
Access Vector (AV): | NETWORK |
Access Complexity (AC): | LOW |
Authentication (AU): | NONE |
Confidentiality (C): | PARTIAL |
Integrity (I): | NONE |
Availability (A): | NONE |
Additional information: |