Back to search
CVE-2020-17527
Published: Dec 3, 2020
Modified: Feb 13, 2025
PUBLISHED
Description
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Tomcat | affected Apache Tomcat 10 10.0.0-M1 to 10.0.0-M9affected Apache Tomcat 9 9.0.0-M1 to 9.0.39affected Apache Tomcat 8.5 8.5.0 to 8.5.59 |
Weaknesses (CWE)
References
[tomcat-dev] 20201203 [SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[announce] 20201203 [SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[tomcat-users] 20201203 [SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[tomcat-announce] 20201203 [SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[oss-security] 20201203 [SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[guacamole-issues] 20201206 [jira] [Created] (GUACAMOLE-1229) Fix in Dockerhub for latest CVE-2020-17527
mailing-list
x_refsource_MLIST
[guacamole-issues] 20201206 [jira] [Commented] (GUACAMOLE-1229) Fix in Dockerhub for latest CVE-2020-17527
mailing-list
x_refsource_MLIST
[debian-lts-announce] 20201216 [SECURITY] [DLA 2495-1] tomcat8 security update
mailing-list
x_refsource_MLIST
GLSA-202012-23
vendor-advisory
x_refsource_GENTOO
[announce] 20210119 Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[tomcat-dev] 20210119 Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[tomcat-announce] 20210119 Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
[tomcat-users] 20210119 Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
mailing-list
x_refsource_MLIST
DSA-4835
vendor-advisory
x_refsource_DEBIAN
https://www.oracle.com/security-alerts/cpuApr2021.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20201210-0003/
x_refsource_CONFIRM
https://www.oracle.com//security-alerts/cpujul2021.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now