{"id":"CVE-2020-13935","details":"The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.","aliases":["BIT-tomcat-2020-13935","GHSA-m7jv-hq7h-mq7c"],"modified":"2026-05-15T12:03:58.961779728Z","published":"2020-07-14T15:15:11.070Z","related":["SUSE-SU-2020:2037-1","SUSE-SU-2020:2045-1","SUSE-SU-2020:2046-1","SUSE-SU-2020:2047-1","SUSE-SU-2020:2611-1","SUSE-SU-2026:1058-1","openSUSE-SU-2020:1102-1","openSUSE-SU-2020:1111-1","openSUSE-SU-2024:12103-1","openSUSE-SU-2024:13441-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"],"vendor_product":"canonical:ubuntu_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"},{"last_affected":"20.04"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}]},{"cpes":["cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*","cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*"],"vendor_product":"mcafee:epolicy_orchestrator","source":"CPE_FIELD","extracted_events":[{"last_affected":"5.9.0"},{"last_affected":"5.9.1"},{"last_affected":"5.10.0-NA"},{"last_affected":"5.10.0-update_1"},{"last_affected":"5.10.0-update_2"},{"last_affected":"5.10.0-update_3"},{"last_affected":"5.10.0-update_4"},{"last_affected":"5.10.0-update_5"},{"last_affected":"5.10.0-update_6"},{"last_affected":"5.10.0-update_7"},{"last_affected":"5.10.0-update_8"}]},{"cpes":["cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"3.0.0"},{"last_affected":"3.1.3"}],"source":"CPE_FIELD","vendor_product":"netapp:oncommand_system_manager"},{"cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"15.1"},{"last_affected":"15.2"}],"source":"CPE_FIELD","vendor_product":"opensuse:leap"},{"cpes":["cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:agile_engineering_data_management","source":"CPE_FIELD","extracted_events":[{"last_affected":"6.2.1.0"}]},{"cpes":["cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"9.3.3"},{"last_affected":"9.3.5"},{"last_affected":"9.3.6"}],"source":"CPE_FIELD","vendor_product":"oracle:agile_plm"},{"cpes":["cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:blockchain_platform","source":"CPE_FIELD","extracted_events":[{"fixed":"21.1.2"}]},{"cpes":["cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"11.3.2"}],"source":"CPE_FIELD","vendor_product":"oracle:commerce_guided_search"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_policy","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.14.0"}]},{"cpes":["cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"10.0.1.5.0"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_instant_messaging_server"},{"cpes":["cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"source":"CPE_FIELD","vendor_product":"oracle:fmw_platform"},{"cpes":["cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*"],"vendor_product":"oracle:instantis_enterprisetrack","source":"CPE_FIELD","extracted_events":[{"last_affected":"17.1"},{"last_affected":"17.2"},{"last_affected":"17.3"}]},{"cpes":["cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}],"source":"CPE_FIELD","vendor_product":"oracle:managed_file_transfer"},{"cpes":["cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.0.21"}],"source":"CPE_FIELD","vendor_product":"oracle:mysql_enterprise_monitor"},{"cpes":["cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:siebel_ui_framework","source":"CPE_FIELD","extracted_events":[{"last_affected":"20.12"}]},{"cpes":["cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*","cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*"],"vendor_product":"oracle:workload_manager","source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.0.1"},{"last_affected":"18c"},{"last_affected":"19c"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html"},{"type":"ADVISORY","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10332"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200724-0003/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4448-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4596-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4727"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}