Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
[
{
"vendor": "Apache Software Foundation",
"product": "Apache Tomcat",
"versions": [
{
"status": "affected",
"version": "11.0.0-M1",
"versionType": "semver",
"lessThanOrEqual": "11.0.0-M20"
},
{
"status": "affected",
"version": "10.1.0-M1",
"versionType": "semver",
"lessThanOrEqual": "10.1.24"
},
{
"status": "affected",
"version": "9.0.0-M1",
"versionType": "semver",
"lessThanOrEqual": "9.0.89"
}
],
"defaultStatus": "unaffected"
}
]
[
{
"cpes": [
"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"
],
"vendor": "apache",
"product": "tomcat",
"versions": [
{
"status": "affected",
"version": "9.0.0-m1",
"versionType": "semver",
"lessThanOrEqual": "9.0.89"
},
{
"status": "affected",
"version": "10.1.0-m1",
"versionType": "semver",
"lessThanOrEqual": "10.1.24"
},
{
"status": "affected",
"version": "11.0.0-m1",
"versionType": "semver",
"lessThanOrEqual": "11.0.0-m20"
}
],
"defaultStatus": "unaffected"
}
]