CVE-2020-1935

UNKNOWN

Published 2020-02-24T21:11:38

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2020-1935. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache

Apache Tomcat

Affected Versions:

Apache Tomcat 9.0.0.M1 to 9.0.30 8.5.0 to 8.5.50 7.0.0 to 7.0.99

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Potential HTTP request smuggling in Apache Tomcat

GHSA-qxf4-chvg-4r8r

Advisory Details

Affected Packages

Maven org.apache.tomcat.embed:tomcat-embed-core

ECOSYSTEM: ≥0 <7.0.100

Maven org.apache.tomcat.embed:tomcat-embed-core

ECOSYSTEM: ≥8.0.0 <8.5.51

Maven org.apache.tomcat.embed:tomcat-embed-core

ECOSYSTEM: ≥9.0.0 <9.0.31

Maven org.apache.tomcat:tomcat

ECOSYSTEM: ≥0 <7.0.100

Maven org.apache.tomcat:tomcat

ECOSYSTEM: ≥8.0.0 <8.5.51

Maven org.apache.tomcat:tomcat

ECOSYSTEM: ≥9.0.0 <9.0.31

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-1935

WEB https://www.oracle.com/security-alerts/cpuoct2020.html

WEB https://www.oracle.com/security-alerts/cpujul2020.html

WEB https://www.oracle.com/security-alerts/cpujan2021.html

WEB https://www.debian.org/security/2020/dsa-4680

WEB https://www.debian.org/security/2020/dsa-4673

WEB https://usn.ubuntu.com/4448-1

WEB https://security.netapp.com/advisory/ntap-20200327-0005

WEB https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

WEB https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html

WEB https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E

WEB https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E

WEB https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E

WEB https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E

WEB http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html

Advisory provided by GitHub Security Advisory Database. Published: February 28, 2020, Modified: August 19, 2021

References

https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html

https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E

https://www.debian.org/security/2020/dsa-4673

https://www.debian.org/security/2020/dsa-4680

https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://security.netapp.com/advisory/ntap-20200327-0005/

https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E

https://usn.ubuntu.com/4448-1/

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E

HackerOne Reports

Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE Medium

pvm

U.S. Dept Of Defense

Information Exposure Through an Error Message

View Report

Published: 2020-02-24T21:11:38

Last Modified: 2024-08-04T06:53:59.921Z

Copied to clipboard!

CVE-2020-1935

Expert Analysis

Description

Available Exploits

Related News

Affected Products

Apache Tomcat

Affected Versions:

GitHub Security Advisories

Potential HTTP request smuggling in Apache Tomcat

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

HackerOne Reports

Request Analysis

What to expect

Request Received!