Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False Positive on Tomcat 9.0.38 and upper reporting CVE-2020-13943

See original GitHub issue

False positive on Tomcat 9.0.38+

According to Tomcat, the problem related to CVE-2020-13943 has been solved in version 9.0.38. See : https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38

CPE

cpe:2.3:a:apache:tomcat:9.0.38:*:*:*:*:*:*:*

CVE

CVE-2020-13943

Maven

<dependency>
   <groupId>org.apache.tomcat.embed</groupId>
   <artifactId>tomcat-embed-core</artifactId>
   <version>9.0.38</version>
</dependency>

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:5
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
albuchcommented, Nov 4, 2020

NIST finally answered:

Good Afternoon,

Thank you for bringing this to our attention. We appreciate community input in order to provide the most accurate and up-to-date information as possible. After reviewing publicly available information, we have made the appropriate modifications and removed the versions of Apache Tomcat that were not vulnerable IAW the vendor advisory. Please allow up to 24 hours for the changes to be reflected on the website and in the data feeds.

V/r, Common Platform Enumeration Team cpe_dictionary@nist.gov

1reaction
albuchcommented, Oct 29, 2020

@rd-matthias-jambor I’ve already contacted nist on that e-mail two days ago, though no response yet.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Fixed in Apache Tomcat 9.0.38 - Vulners
Moderate: HTTP/2 request mix-up CVE-2020-13943 If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection ...
Read more >
Apache Tomcat 9 vulnerabilities
This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 9.x. Each vulnerability is given a security impact rating by...
Read more >
Apache Tomcat : List of security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2022‑42252 20 2022‑11‑01 2022‑11‑18 0.0 None 2 CVE‑2022‑34305 79 XSS 2022‑06‑23...
Read more >
Apache Tomcat vuln - False Positive
The Nessus scan identified Plugin 157117 - "Apache Tomcat 9.0.35 < 9.0.58 multiple vulns" on one of our Load Balancers.
Read more >
Search Results - CVE
This vulnerability report identified a mechanism that allowed: - returning ... CVE-2020-13943, If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Go Analyzer stucks since v6.0.2

Next page

Golang list modules command timesout after 30 minutes