The Apache Software Foundation has patched a Tomcat HTTP/2 Request header mix-up vulnerability CVE-2020-17527.
A cyber attacker could exploit this vulnerability to steal sensitive information.
“While investigating Bug 64830 it was discovered that Apache Tomcat could
re-use an HTTP request header value from the previous stream received
on an HTTP/2 connection for the request associated with the subsequent
stream. While this would most likely lead to an error and the closure of
the HTTP/2 connection, it is possible that information could leak
between requests,” Apache stated in the security advisory.
Apache rates the vulnerability as Moderate severity.
In addition, Apache recommends upgrading Apache Tomcat to the following versions:
- 10.0.0-M10 or later.
- 9.0.40 or later
- 8.5.60 or later.
Organizations and users are strongly encouraged to upgrade to latest Apache Tomcat versions to address the vulnerability.