7.5
CVSSv3

CVE-2020-13935

Published: 14/07/2020 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance. (CVE-2019-12418) When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563) A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-13935) The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. (CVE-2021-43980) The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. (CVE-2022-45143) Apache Commons FileUpload prior to 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. (CVE-2023-24998) When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 9.0.0

apache tomcat 10.0.0

apache tomcat

debian debian linux 9.0

debian debian linux 10.0

netapp oncommand system manager

opensuse leap 15.1

opensuse leap 15.2

canonical ubuntu linux 20.04

canonical ubuntu linux 16.04

mcafee epolicy orchestrator 5.9.0

mcafee epolicy orchestrator 5.9.1

mcafee epolicy orchestrator 5.10.0

oracle managed file transfer 12.2.1.3.0

oracle instantis enterprisetrack 17.1

oracle instantis enterprisetrack 17.2

oracle instantis enterprisetrack 17.3

oracle agile plm 9.3.3

oracle agile plm 9.3.5

oracle agile plm 9.3.6

oracle workload manager 18c

oracle workload manager 19c

oracle workload manager 12.2.0.1

oracle agile engineering data management 6.2.1.0

oracle siebel ui framework

oracle mysql enterprise monitor

oracle managed file transfer 12.2.1.4.0

oracle commerce guided search 11.3.2

oracle fmw platform 12.2.1.4.0

oracle fmw platform 12.2.1.3.0

oracle communications cloud native core policy 1.14.0

oracle communications instant messaging server 10.0.1.5.0

oracle blockchain platform

Vendor Advisories

Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in code execution or denial of service For the stable distribution (buster), these problems have been fixed in version 9031-1~deb10u2 We recommend that you upgrade your tomcat9 packages For the detailed security status of tomcat9 please refer to it ...
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 1000-M1 to 1000-M6, 900M1 to 9036, 850 to 8556 and 7027 to 70104 Invalid payload lengths could trigger an infinite loop Multiple requests with invalid payload lengths could lead to a denial of service (CVE-2020-13935) An h2c direct connection to ...
Synopsis Important: Red Hat JBoss Web Server 31 Service Pack 10 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31, for RHEL 6, RHEL 7 and WindowsRed Hat Product Security has rated this release as having a security impact of Importa ...
Synopsis Important: Red Hat JBoss Web Server 532 security update Type/Severity Security Advisory: Important Topic Updated Red Hat JBoss Web Server 532 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and WindowsRed Hat Product Security ha ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 64 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64Red Hat Product Security has rated this update as having a security impact of Important A C ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 64 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64Red Hat Product Security has rated this update as having a security impact of Important A C ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 64 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64Red Hat Product Security has rated this update as having a security impact of Important A C ...
Synopsis Important: Red Hat JBoss Web Server 532 security update Type/Severity Security Advisory: Important Topic Updated Red Hat JBoss Web Server 532 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8Red Hat Product Security has rated ...
Synopsis Important: Red Hat JBoss Web Server 31 Service Pack 10 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and RHEL 7Red Hat Product Security has rated this release as having a security impact of Important A Comm ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 64 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5, 6, and 7Red Hat Product Security has rated this update as h ...
Synopsis Important: tomcat security and bug fix update Type/Severity Security Advisory: Important Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) b ...
Synopsis Important: Red Hat support for Spring Boot 226SP2 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6424 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic A security update is now available for Red Hat JBoss Enterprise Application Platform ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6424 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat JBoss Enterprise Application Platform 64 Red Hat Product Security has rated this update as having a security impact of ImportantA Common Vulnerability Scori ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6424 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic A security update is now available for Red Hat JBoss Enterprise Application Platform ...
A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack The attacker could then capture user names and passwords used to access the JMX interface ...
A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack The attacker could then capture user names and passwords used to access the JMX interface ...
A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack The attacker could then capture user names and passwords used to access the JMX interface ...
An issue has been found in Apache Tomcat before 8557 and before 9037, where an h2c direct connection did not release the HTTP/11 processor after the upgrade to HTTP/2 If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service ...
Multiple vulnerabilities have been found in Hitachi Ops Center Common Services CVE-2019-20330, CVE-2020-7676, CVE-2020-8840, CVE-2020-11022, CVE-2020-11023, CVE-2020-11619, CVE-2020-13444, CVE-2020-13445, CVE-2020-13934, CVE-2020-13935 Affected products and versions are listed below Please upgrade your version to the appropriate version ...

Mailing Lists

CVE-2020-13935 Apache Tomcat WebSocket Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 1000-M1 to 1000-M6 Apache Tomcat 900M1 to 9036 Apache Tomcat 850 to 8556 Apache Tomcat 7027 to 70104 Description: The payload length in a WebSocket frame was not correctly validate ...

Github Repositories

Exploit for WebSocket Vulnerability in Apache Tomcat

Exploit for WebSocket Vulnerability in Apache Tomcat (CVE-2020-13935) In the corresponding blog post the analysis and exploitation of the vulnerability is explained in detail Usage Clone the repository, then build the tcdos binary Run the program as follows to test whether a particular WebSocket endpoint is vulnerable: $ git clone githubcom/RedTeamPentesting/CVE-2020

Exploit for WebSocket Vulnerability in Apache Tomcat (CVE-2020-13935) In the corresponding blog post the analysis and exploitation of the vulnerability is explained in detail Usage Clone the repository, then build the tcdos binary Run the program as follows to test whether a particular WebSocket endpoint is vulnerable: $ git clone githubcom/RedTeamPentesting/CVE-2020

Collection of exploits that were verified by an automated system

Collection of exploits that were verified by an automated system (It monitors different honeypots and feeds for new\potential exploits) The results are optimized python modules that can be integrated into your Vulnerability Intelligence Scanner Current Exploits CriticalCVE-2020-14882Oracle WebLogic Server Under Active Exploitation (RCE)Possible (+107,539 devices - 2020)