CVE-2020-13935

Public on 2020-07-14

Modified on 2023-05-05

Description

A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.

Severity

Important

See what this means

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 2 - Core	tomcat	2023-05-11 17:49	ALAS2-2023-2047
Amazon Linux 2 - Tomcat8.5 Extra	tomcat	2023-08-21 20:58	ALAS2TOMCAT8.5-2023-013
Amazon Linux 2 - Tomcat9 Extra	tomcat	2023-08-21 20:58	ALAS2TOMCAT9-2023-008
Amazon Linux 1	tomcat8	2020-07-27 23:58	ALAS-2020-1409

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2020-13935 Mitre: CVE-2020-13935 FAQs regarding Amazon Linux ALAS/CVE Severity