exploitDog

GHSA-767j-jfh2-jvrc

Опубликовано: 28 фев. 2020

Источник: github

Github: Прошло ревью

CVSS3: 4.8

Описание

Potential HTTP request smuggling in Apache Tomcat

The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Ссылки

Пакеты

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 7.0.98, < 7.0.100

7.0.100

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 8.5.48, < 8.5.51

8.5.51

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 9.0.28, < 9.0.31

9.0.31

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 7.0.98, < 7.0.100

7.0.100

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 8.5.48, < 8.5.51

8.5.51

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 9.0.28, < 9.0.31

9.0.31

EPSS

Процентиль: 93%

0.09925

Низкий

4.8 Medium

CVSS3

CVE ID

Дефекты

CWE-444

Связанные уязвимости

CVE-2019-17569

CVSS3: 4.8

ubuntu

больше 5 лет назад

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVE-2019-17569

CVSS3: 4.3

redhat

больше 5 лет назад

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVE-2019-17569

CVSS3: 4.8

nvd

больше 5 лет назад

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVE-2019-17569

CVSS3: 4.8

debian

больше 5 лет назад

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8 ...

BDU:2021-01013

CVSS3: 4.8

fstec

больше 5 лет назад

Уязвимость сервера приложений Apache Tomcat, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

EPSS

Процентиль: 93%

0.09925

Низкий

4.8 Medium

CVSS3

CVE ID

Дефекты

CWE-444