CVE-2020-13943: Apache Tomcat Information Disclosure Flaw

CVE-2020-13943 Overview

CVE-2020-13943 is an information disclosure vulnerability in Apache Tomcat affecting the HTTP/2 connection handler. When an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection, a subsequent request on that connection can contain HTTP headers — including HTTP/2 pseudo headers — from a previous request rather than the intended ones. The result is that authenticated users may receive responses for resources they did not request. Affected versions include Apache Tomcat 10.0.0-M1 through 10.0.0-M7, 9.0.0.M1 through 9.0.37, and 8.5.0 through 8.5.57. Downstream products from Debian, openSUSE, NetApp, and Oracle (Instantis EnterpriseTrack, SD-WAN Edge) also incorporated the affected code.

Critical Impact

Authenticated clients sharing an HTTP/2 connection can receive responses intended for other requests, leading to confidentiality loss across user sessions.

Affected Products

• Apache Tomcat 8.5.0 to 8.5.57, 9.0.0.M1 to 9.0.37, 10.0.0-M1 to 10.0.0-M7
• Debian Linux 9 and 10 (Tomcat package)
• Oracle Instantis EnterpriseTrack 17.1, 17.2, 17.3 and Oracle SD-WAN Edge 9.0

Discovery Timeline

• 2020-10-12 - CVE-2020-13943 published to the National Vulnerability Database
• 2020-10-12 - Apache Tomcat project publishes security announcement
• 2021-04 - Oracle includes the fix in the April 2021 Critical Patch Update
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-13943

Vulnerability Analysis

The flaw resides in Apache Tomcat's HTTP/2 multiplexing logic. HTTP/2 allows multiple concurrent streams over a single TCP connection, with the server advertising a maximum via the SETTINGS_MAX_CONCURRENT_STREAMS parameter. When a client violates this limit, Tomcat fails to correctly isolate per-stream header state. Internal request objects retain header data — including pseudo headers such as :path, :method, and :authority — from earlier streams. A later request on the same connection inherits these stale values, causing Tomcat to route the request to a resource the client never asked for. The response sent back may belong to a different user or session sharing the connection, which is classified as an information disclosure issue [CWE-noinfo].

Root Cause

The root cause is incorrect state handling when the protocol invariant — concurrent stream count — is breached. Rather than resetting or rejecting the offending streams cleanly, Tomcat reuses request structures that still carry pseudo header values from prior requests. This is a protocol state management defect specific to the HTTP/2 connector.

Attack Vector

Exploitation requires a network-reachable HTTP/2 endpoint and an authenticated client capable of issuing concurrent streams beyond the negotiated maximum. An attacker who can establish an HTTP/2 session — directly or via a shared connection on a forward proxy — can trigger the condition by deliberately exceeding the stream limit. The attacker does not need control of the server; manipulating the stream count is sufficient to cause cross-request response leakage.

// No verified proof-of-concept code is publicly available for CVE-2020-13943.
// The condition is triggered by an HTTP/2 client deliberately opening more
// concurrent streams than the server-advertised SETTINGS_MAX_CONCURRENT_STREAMS,
// then issuing a subsequent request whose pseudo headers (:path, :method,
// :authority, :scheme) are inherited from a prior stream.
// Refer to the Apache Tomcat announcement for protocol-level details.

Detection Methods for CVE-2020-13943

Indicators of Compromise

• Application logs showing responses returned for URIs the client did not request, or mismatched :path values between access logs and application-layer logs.
• HTTP/2 RST_STREAM frames or PROTOCOL_ERROR conditions associated with clients that previously opened a high stream count.
• User-reported sightings of content belonging to other authenticated sessions.

Detection Strategies

• Inventory all Tomcat instances and compare versions against the affected ranges (8.5.0-8.5.57, 9.0.0.M1-9.0.37, 10.0.0-M1-10.0.0-M7).
• Enable HTTP/2 access logging with the stream identifier and pseudo header values, then correlate request URIs against backend application logs to spot drift.
• Monitor HTTP/2 frame statistics on load balancers and reverse proxies for clients that exceed SETTINGS_MAX_CONCURRENT_STREAMS.

Monitoring Recommendations

• Forward Tomcat access logs and connector metrics to a centralized logging platform for retrospective analysis.
• Alert on anomalous response-to-request ratios or unexpected Content-Length mismatches across user sessions.
• Track patch state of Tomcat across the estate as a continuous configuration management control.

How to Mitigate CVE-2020-13943

Immediate Actions Required

• Upgrade Apache Tomcat to 8.5.58, 9.0.38, or 10.0.0-M8 or later.
• Apply vendor patches from Debian (DSA-4835), openSUSE, NetApp, and Oracle (April 2021 Critical Patch Update) for downstream products.
• If patching is delayed, disable the HTTP/2 connector by removing the UpgradeProtocol element for Http2Protocol from server.xml.

Patch Information

Fixed versions are Apache Tomcat 8.5.58, 9.0.38, and 10.0.0-M8. See the Apache Tomcat Announcement, the Debian Security Advisory DSA-4835, the NetApp Security Advisory NTAP-20201016-0007, and the Oracle April 2021 Security Alert for distribution-specific package versions.

Workarounds

• Disable HTTP/2 on the Tomcat connector and serve clients over HTTP/1.1 until the upgrade is applied.
• Place a patched HTTP/2-terminating reverse proxy in front of Tomcat so Tomcat receives only HTTP/1.1 requests.
• Reduce maxConcurrentStreams and enforce strict client validation at the upstream load balancer to limit exposure.

# Example: disable the HTTP/2 UpgradeProtocol in Tomcat server.xml
# Remove or comment out the following line within the <Connector> element:
#   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
#
# Then restart Tomcat
sudo systemctl restart tomcat