Lucene search

K
cveApacheCVE-2019-17569
HistoryFeb 24, 2020 - 10:15 p.m.

CVE-2019-17569

2020-02-2422:15:11
CWE-444
apache
web.nvd.nist.gov
437
2
apache tomcat
cve-2019-17569
security
http request smuggling
nvd

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7

Confidence

Low

EPSS

0.003

Percentile

71.6%

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Affected configurations

Nvd
Vulners
Node
apachetomcatRange7.0.987.0.99
OR
apachetomcatRange8.5.488.5.50
OR
apachetomcatRange9.0.289.0.30
OR
apachetomeeMatch7.0.7
Node
opensuseleapMatch15.1
Node
netappdata_availability_servicesMatch-
OR
netapponcommand_system_managerRange3.0.03.1.3
Node
debiandebian_linuxMatch9.0
OR
debiandebian_linuxMatch10.0
Node
oracleagile_engineering_data_managementMatch6.2.1.0
OR
oracleagile_plmMatch9.3.3
OR
oracleagile_plmMatch9.3.5
OR
oracleagile_plmMatch9.3.6
OR
oraclecommunications_instant_messaging_serverMatch10.0.1.4.0
OR
oraclehealth_sciences_empirica_inspectionsMatch1.0.1.2
OR
oraclehealth_sciences_empirica_signalMatch7.3.3
OR
oraclehospitality_guest_accessMatch4.2.0
OR
oraclehospitality_guest_accessMatch4.2.1
OR
oracleinstantis_enterprisetrackRange17.117.3
OR
oraclemysql_enterprise_monitorRange4.0.12
OR
oraclemysql_enterprise_monitorRange8.0.08.0.20
OR
oracletransportation_managementMatch6.3.7
OR
oracleworkload_managerMatch12.2.0.1
OR
oracleworkload_managerMatch18c
OR
oracleworkload_managerMatch19c
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apachetomee7.0.7cpe:2.3:a:apache:tomee:7.0.7:*:*:*:*:*:*:*
opensuseleap15.1cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
netappdata_availability_services-cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:*
netapponcommand_system_manager*cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
oracleagile_engineering_data_management6.2.1.0cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
oracleagile_plm9.3.3cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
oracleagile_plm9.3.5cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
Rows per page:
1-10 of 221

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Tomcat 9.0.28 to 9.0.30"
      },
      {
        "status": "affected",
        "version": "8.5.48 to 8.5.50"
      },
      {
        "status": "affected",
        "version": "7.0.98 to 7.0.99"
      }
    ]
  }
]

Social References

More

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7

Confidence

Low

EPSS

0.003

Percentile

71.6%