Home > Vulnerability Database > CVE-2020-13935

Mend.io Vulnerability Database

CVE-2020-13935

Good to know:

Date: July 14, 2020

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Language: Java

Severity Score

7.5

Related Resources (22)

Url: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html

Url: https://kc.mcafee.com/corporate/index?page=content&id=SB10332

Url: https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuApr2021.html

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-13935

Url: https://usn.ubuntu.com/4596-1/

Url: https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50@%3Cusers.tomcat.apache.org%3E

Url: https://security-tracker.debian.org/tracker/CVE-2020-13935

Url: https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html

Url: https://www.oracle.com/security-alerts/cpuoct2020.html

Url: https://www.oracle.com/security-alerts/cpujan2021.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-13935

Url: https://www.debian.org/security/2020/dsa-4727

Url: https://www.oracle.com/security-alerts/cpujan2022.html

Url: https://security.netapp.com/advisory/ntap-20200724-0003/

Url: http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html

Url: https://usn.ubuntu.com/4448-1/

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://www.oracle.com/security-alerts/cpuapr2022.html

Url: https://www.oracle.com/security-alerts/cpuoct2021.html

Url: https://access.redhat.com/security/cve/CVE-2020-13935

Url: https://www.mend.io/vulnerability-database/CVE-2020-13935

Severity Score

7.5

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat:tomcat-websocket:7.0.105,8.5.57,9.0.37,10.0.0-M7;org.apache.tomcat.embed:tomcat-embed-websocket:7.0.105,8.5.57,9.0.37,10.0.0-M7

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-13935

Good to know:

Date: July 14, 2020

Language: Java

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?