Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.8
CVSSv3

CVE-2019-17569

Published: 24/02/2020 Updated: 07/11/2023
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 4.8 | Impact Score: 2.5 | Exploitability Score: 2.2
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Apache

Vulnerability Summary

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat

apache tomee 7.0.7

opensuse leap 15.1

netapp oncommand system manager

netapp data availability services -

debian debian linux 9.0

debian debian linux 10.0

oracle transportation management 6.3.7

oracle hospitality guest access 4.2.0

oracle hospitality guest access 4.2.1

oracle agile plm 9.3.3

oracle agile plm 9.3.5

oracle agile plm 9.3.6

oracle instantis enterprisetrack

oracle mysql enterprise monitor

oracle health sciences empirica signal 7.3.3

oracle communications instant messaging server 10.0.1.4.0

oracle workload manager 18c

oracle workload manager 19c

oracle workload manager 12.2.0.1

oracle agile engineering data management 6.2.1.0

oracle health sciences empirica inspections 1.0.1.2

Vendor Advisories

Red Hat: Important: Red Hat JBoss Web Server 5.3 release
Synopsis Important: Red Hat JBoss Web Server 53 release Type/Severity Security Advisory: Important Topic Red Hat JBoss Web Server 530 zip release for RHEL 6, RHEL 7, RHEL 8 and Microsoft Windows is availableRed Hat Product Security has rated this release as having a security impact ofImportant A Common ...
Red Hat: Important: Red Hat JBoss Web Server 5.3 release
Synopsis Important: Red Hat JBoss Web Server 53 release Type/Severity Security Advisory: Important Topic Updated Red Hat JBoss Web Server 530 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8Red Hat Product Security has rated this relea ...
Debian Security Advisories: DSA-4680-1 tomcat9 -- security update
Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface For the stable distribution (buster), these problems have been fixed in version 9031-1~deb10u1 The ...
Debian Security Advisories: DSA-4673-1 tomcat8 -- security update
Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling and code execution in the AJP connector (disabled by default in Debian) For the oldstable distribution (stretch), these problems have been fixed in version 8554-0+deb9u1 We recommend that you upgrade your tomcat8 packages ...
Amazon Linux 2: ALASTOMCAT8.5-2023-012
The refactoring present in Apache Tomcat 9028 to 9030, 8548 to 8550 and 7098 to 7099 introduced a regression The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the inva ...
Amazon Linux AMI: ALAS-2020-1352
In Apache Tomcat 900M1 to 9030, 850 to 8550 and 700 to 7099 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Enc ...
Amazon Linux AMI: ALAS-2020-1353
In Apache Tomcat 900M1 to 9030, 850 to 8550 and 700 to 7099 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Enc ...

References

CWE-444https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2020/03/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlhttps://security.netapp.com/advisory/ntap-20200327-0005/https://www.debian.org/security/2020/dsa-4673https://www.debian.org/security/2020/dsa-4680https://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2020:1521https://nvd.nist.govhttps://www.debian.org/security/2020/dsa-4680
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32744privilege escalationCVE-2024-30253CVE-2024-3914cross-site scriptingCVE-2024-31497CVE-2024-3400CVE-2024-32341hardcoded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook