CVE-2020-1935

EPSS 1.01%
Published 24.02.2020 22:15:11
Last modified 21.11.2024 05:11:38
Source security@apache.org
Teams watchlist Login
Open Login

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Affected products Warnungen 0 Metrics 3 CWE 1 References 22

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 7.0.0 <= 7.0.99

Apache ≫ Tomcat Version >= 8.5.0 <= 8.5.50

Apache ≫ Tomcat Version >= 9.0.0 <= 9.0.30

Apache ≫ Tomcat Version9.0.0 Update-

Apache ≫ Tomcat Version9.0.0 Updatemilestone1

Apache ≫ Tomcat Version9.0.0 Updatemilestone10

Apache ≫ Tomcat Version9.0.0 Updatemilestone11

Apache ≫ Tomcat Version9.0.0 Updatemilestone12

Apache ≫ Tomcat Version9.0.0 Updatemilestone13

Apache ≫ Tomcat Version9.0.0 Updatemilestone14

Apache ≫ Tomcat Version9.0.0 Updatemilestone15

Apache ≫ Tomcat Version9.0.0 Updatemilestone16

Apache ≫ Tomcat Version9.0.0 Updatemilestone17

Apache ≫ Tomcat Version9.0.0 Updatemilestone18

Apache ≫ Tomcat Version9.0.0 Updatemilestone19

Apache ≫ Tomcat Version9.0.0 Updatemilestone2

Apache ≫ Tomcat Version9.0.0 Updatemilestone20

Apache ≫ Tomcat Version9.0.0 Updatemilestone21

Apache ≫ Tomcat Version9.0.0 Updatemilestone22

Apache ≫ Tomcat Version9.0.0 Updatemilestone23

Apache ≫ Tomcat Version9.0.0 Updatemilestone24

Apache ≫ Tomcat Version9.0.0 Updatemilestone25

Apache ≫ Tomcat Version9.0.0 Updatemilestone26

Apache ≫ Tomcat Version9.0.0 Updatemilestone27

Apache ≫ Tomcat Version9.0.0 Updatemilestone3

Apache ≫ Tomcat Version9.0.0 Updatemilestone4

Apache ≫ Tomcat Version9.0.0 Updatemilestone5

Apache ≫ Tomcat Version9.0.0 Updatemilestone6

Apache ≫ Tomcat Version9.0.0 Updatemilestone7

Apache ≫ Tomcat Version9.0.0 Updatemilestone8

Apache ≫ Tomcat Version9.0.0 Updatemilestone9

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Opensuse ≫ Leap Version15.1

Netapp ≫ Data Availability Services Version-

Netapp ≫ Oncommand System Manager Version >= 3.0.0 <= 3.1.3

Oracle ≫ Agile Engineering Data Management Version6.2.1.0

Oracle ≫ Agile Product Lifecycle Management Version9.3.3

Oracle ≫ Agile Product Lifecycle Management Version9.3.5

Oracle ≫ Agile Product Lifecycle Management Version9.3.6

Oracle ≫ Communications Element Manager Version8.1.1

Oracle ≫ Communications Element Manager Version8.2.0

Oracle ≫ Communications Element Manager Version8.2.1

Oracle ≫ Communications Instant Messaging Server Version10.0.1.4.0

Oracle ≫ Health Sciences Empirica Inspections Version1.0.1.2

Oracle ≫ Health Sciences Empirica Signal Version7.3.3

Oracle ≫ Hospitality Guest Access Version4.2.0

Oracle ≫ Hospitality Guest Access Version4.2.1

Oracle ≫ Hyperion Infrastructure Technology Version11.1.2.4

Oracle ≫ Instantis Enterprisetrack Version >= 17.1 <= 17.3

Oracle ≫ Mysql Enterprise Monitor Version >= 4.0.0 <= 4.0.12

Oracle ≫ Mysql Enterprise Monitor Version >= 8.0.0 <= 8.0.20

Oracle ≫ Retail Order Broker Version15.0

Oracle ≫ Siebel Ui Framework Version <= 20.5

Oracle ≫ Transportation Management Version6.3.7

Oracle ≫ Workload Manager Version12.2.0.1

Oracle ≫ Workload Manager Version18c

Oracle ≫ Workload Manager Version19c

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.01%	0.763

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory

https://www.debian.org/security/2020/dsa-4680

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html