Lucene search

K
cvelistApacheCVELIST:CVE-2019-17569
HistoryFeb 24, 2020 - 9:04 p.m.

CVE-2019-17569

2020-02-2421:04:40
apache
www.cve.org
11
apache tomcat 9.0.28
apache tomcat 9.0.30
apache tomcat 8.5.48
apache tomcat 8.5.50
apache tomcat 7.0.98
apache tomcat 7.0.99
http request smuggling vulnerability

AI Score

7.2

Confidence

Low

EPSS

0.003

Percentile

71.6%

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Tomcat 9.0.28 to 9.0.30"
      },
      {
        "status": "affected",
        "version": "8.5.48 to 8.5.50"
      },
      {
        "status": "affected",
        "version": "7.0.98 to 7.0.99"
      }
    ]
  }
]