Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-1935

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Published

2020-02-24T22:15:11.980

Last Modified

2024-11-21T05:11:38.730

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

8.6

Impact Score

4.9

Weaknesses
  • Type: Primary
    CWE-444
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache tomcat ≤ 7.0.99 Yes
Application apache tomcat ≤ 8.5.50 Yes
Application apache tomcat ≤ 9.0.30 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Application apache tomcat 9.0.0 Yes
Operating System debian debian_linux 8.0 Yes
Operating System debian debian_linux 9.0 Yes
Operating System debian debian_linux 10.0 Yes
Operating System canonical ubuntu_linux 16.04 Yes
Operating System opensuse leap 15.1 Yes
Application netapp data_availability_services - Yes
Application netapp oncommand_system_manager ≤ 3.1.3 Yes
Application oracle agile_engineering_data_management 6.2.1.0 Yes
Application oracle agile_product_lifecycle_management 9.3.3 Yes
Application oracle agile_product_lifecycle_management 9.3.5 Yes
Application oracle agile_product_lifecycle_management 9.3.6 Yes
Application oracle communications_element_manager 8.1.1 Yes
Application oracle communications_element_manager 8.2.0 Yes
Application oracle communications_element_manager 8.2.1 Yes
Application oracle communications_instant_messaging_server 10.0.1.4.0 Yes
Application oracle health_sciences_empirica_inspections 1.0.1.2 Yes
Application oracle health_sciences_empirica_signal 7.3.3 Yes
Application oracle hospitality_guest_access 4.2.0 Yes
Application oracle hospitality_guest_access 4.2.1 Yes
Application oracle hyperion_infrastructure_technology 11.1.2.4 Yes
Application oracle instantis_enterprisetrack ≤ 17.3 Yes
Application oracle mysql_enterprise_monitor ≤ 4.0.12 Yes
Application oracle mysql_enterprise_monitor ≤ 8.0.20 Yes
Application oracle retail_order_broker 15.0 Yes
Application oracle siebel_ui_framework ≤ 20.5 Yes
Application oracle transportation_management 6.3.7 Yes
Application oracle workload_manager 12.2.0.1 Yes
Application oracle workload_manager 18c Yes
Application oracle workload_manager 19c Yes
References