If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. Upstream commits: Tomcat 10.0: https://github.com/apache/tomcat/commit/1bbc650cbc3f08d85a1ec6d803c47ae53a84f3bb Tomcat 9.0: https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b Tomcat 8.5: https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a Reference: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E
External References: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M8 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.58
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Application Platform 6 * Red Hat JBoss Data Grid 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.4 on RHEL 7 Red Hat JBoss Web Server 5.4 on RHEL 8 Via RHSA-2021:0494 https://access.redhat.com/errata/RHSA-2021:0494
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:0495 https://access.redhat.com/errata/RHSA-2021:0495
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13943
This issue has been addressed in the following products: Red Hat Support for Spring Boot 2.4.9 Via RHSA-2021:4012 https://access.redhat.com/errata/RHSA-2021:4012
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134