VDB
RHSA-2021%3A4012
RHSA-2021%3A4012
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A flaw was found in Apache Tomcat. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. The highest threat from this vulnerability is to data confidentiality.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat Support for Spring Boot 2.4.9 |
Timeline
- Oct 28, 2021 CVE Published
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2021:4012 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.spring.boot&version=2.4.9 advisory
- https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.4/html/release_notes_for_spring_boot_2.4/index advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1887648 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1904221 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_4012.json advisory
- https://access.redhat.com/security/cve/CVE-2020-13943 advisory
- https://www.cve.org/CVERecord?id=CVE-2020-13943 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2020-13943 advisory
- http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E advisory
- http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M8 advisory
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.58 advisory
- http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38 advisory
- https://access.redhat.com/security/cve/CVE-2020-17527 advisory
- https://www.cve.org/CVERecord?id=CVE-2020-17527 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2020-17527 advisory
- http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M10 advisory
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60 advisory
- http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40 advisory