CVE-2020-1935

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-1935
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1935.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-1935
Aliases
Related
Published
2020-02-24T22:15:11Z
Modified
2024-09-18T01:00:20Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

References

Affected packages

Debian:11 / tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Introduced
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Introduced
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Introduced
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected