CVE-2020-17527

NameCVE-2020-17527
DescriptionWhile investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2495-1, DSA-4835-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat9 (PTS)bullseye (security), bullseye9.0.43-2~deb11u10fixed
bookworm9.0.70-2fixed
sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat8sourcestretch8.5.54-0+deb9u5DLA-2495-1
tomcat8source(unstable)(unfixed)
tomcat9sourcebuster9.0.31-1~deb10u3DSA-4835-1
tomcat9source(unstable)9.0.40-1

Notes

https://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65 (9.0.40)
https://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29 (8.5.60)
Search for package or bug name: Reporting problems