Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-qxf4-chvg-4r8r

Опубликовано: 28 фев. 2020
Источник: github
Github: Прошло ревью
CVSS3: 4.8

Описание

Potential HTTP request smuggling in Apache Tomcat

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Ссылки

Пакеты

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven
Затронутые версииВерсия исправления

< 7.0.100

7.0.100

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven
Затронутые версииВерсия исправления

>= 8.0.0, < 8.5.51

8.5.51

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven
Затронутые версииВерсия исправления

>= 9.0.0, < 9.0.31

9.0.31

Наименование

org.apache.tomcat:tomcat

maven
Затронутые версииВерсия исправления

< 7.0.100

7.0.100

Наименование

org.apache.tomcat:tomcat

maven
Затронутые версииВерсия исправления

>= 8.0.0, < 8.5.51

8.5.51

Наименование

org.apache.tomcat:tomcat

maven
Затронутые версииВерсия исправления

>= 9.0.0, < 9.0.31

9.0.31

EPSS

Процентиль: 76%
0.01022
Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2020-1935

Дефекты

CWE-444

Связанные уязвимости

ubuntu логотип

CVE-2020-1935

CVSS3: 4.8
ubuntu
больше 5 лет назад

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

redhat логотип

CVE-2020-1935

CVSS3: 4.3
redhat
больше 5 лет назад

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

nvd логотип

CVE-2020-1935

CVSS3: 4.8
nvd
больше 5 лет назад

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

debian логотип

CVE-2020-1935

CVSS3: 4.8
debian
больше 5 лет назад

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0. ...

oracle-oval логотип

ELSA-2020-5020

oracle-oval
больше 4 лет назад

ELSA-2020-5020: tomcat security update (LOW)

EPSS

Процентиль: 76%
0.01022
Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2020-1935

Дефекты

CWE-444