CVE-2020-17527

CVE-2020-17527: Apache Tomcat: Request header mix-up between HTTP/2 streams

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-200 · Info exposure

Published December 3, 2020

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Key dates

02Disclosure timeline

December 3, 2020 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-17527

Related vulnerabilities

Identifiers

CVE CVE-2020-17527

CWE CWE-200

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected Apache Tomcat 10 10.0.0-M1 to 10.0.0-M9

Vendor Apache Software Foundation

Product Apache Tomcat

Affected Apache Tomcat 9 9.0.0-M1 to 9.0.39

Vendor Apache Software Foundation

Product Apache Tomcat

Affected Apache Tomcat 8.5 8.5.0 to 8.5.59

CVE-2020-17527: Apache Tomcat: Request header mix-up between HTTP/2 streams

01Description

02Disclosure timeline

03References

04Related CVE