Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2020-13935

Infinite Loop in Apache Tomcat

Description

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Base CVSS

7.5

EPSS Score

92.54%

Introduced Version

7.0.27

Fix Available

10.0.0-M7,9.0.37,8.5.57,7.0.105

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

org.apache.tomcat:tomcat-catalina

References

https://tomcat.apache.org/security-7.html

https://tomcat.apache.org/security-10.html

https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5

https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3

https://www.debian.org/security/2020/dsa-4727

https://security.netapp.com/advisory/ntap-20200724-0003

https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d

https://usn.ubuntu.com/4448-1

https://github.com/apache/tomcat/commit/f9f75c14678b68633f79030ddf4ff827f014cc84

https://tomcat.apache.org/security-8.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html

https://usn.ubuntu.com/4596-1

https://github.com/apache/tomcat/commit/4c04982870d6e730c38e21e58fb653b7cf723784

https://nvd.nist.gov/vuln/detail/CVE-2020-13935

https://kc.mcafee.com/corporate/index?page=content&id=SB10332

https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html

https://tomcat.apache.org/security-9.html

https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50@%3Cusers.tomcat.apache.org%3E

https://github.com/apache/tomcat

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpujan2021.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.