CVE-2019-17569

EPSS 6.16%
Published 24.02.2020 22:15:11
Last modified 21.11.2024 04:32:33
Source security@apache.org
Teams watchlist Login
Open Login

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 7.0.98 <= 7.0.99

Apache ≫ Tomcat Version >= 8.5.48 <= 8.5.50

Apache ≫ Tomcat Version >= 9.0.28 <= 9.0.30

Apache ≫ Tomee Version7.0.7

Opensuse ≫ Leap Version15.1

Netapp ≫ Data Availability Services Version-

Netapp ≫ Oncommand System Manager Version >= 3.0.0 <= 3.1.3

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Oracle ≫ Agile Engineering Data Management Version6.2.1.0

Oracle ≫ Agile Plm Version9.3.3

Oracle ≫ Agile Plm Version9.3.5

Oracle ≫ Agile Plm Version9.3.6

Oracle ≫ Communications Instant Messaging Server Version10.0.1.4.0

Oracle ≫ Health Sciences Empirica Inspections Version1.0.1.2

Oracle ≫ Health Sciences Empirica Signal Version7.3.3

Oracle ≫ Hospitality Guest Access Version4.2.0

Oracle ≫ Hospitality Guest Access Version4.2.1

Oracle ≫ Instantis Enterprisetrack Version >= 17.1 <= 17.3

Oracle ≫ Mysql Enterprise Monitor Version <= 4.0.12

Oracle ≫ Mysql Enterprise Monitor Version >= 8.0.0 <= 8.0.20

Oracle ≫ Transportation Management Version6.3.7

Oracle ≫ Workload Manager Version12.2.0.1

Oracle ≫ Workload Manager Version18c

Oracle ≫ Workload Manager Version19c

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	6.16%	0.904

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://www.oracle.com/security-alerts/cpujan2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch

Third Party Advisory

https://www.debian.org/security/2020/dsa-4680

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html