CVE-2019-17569
Severity
4.8MEDIUM
EPSS
6.2%
top 9.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 24
Latest updateJul 15
Description
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5
Affected Packages18 packages
Also affects: Debian Linux 10.0, 9.0
Patches
🔴Vulnerability Details
4📋Vendor Advisories
4Oracle▶
Oracle Oracle Database Server Risk Matrix: Workload Manager (Apache Tomcat) — CVE-2019-17569↗2020-07-15
Red Hat▶
tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling↗2020-02-24
Debian▶
CVE-2019-17569: tomcat9 - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and ...↗2019
💬Community
1Bugzilla▶
CVE-2019-17569 tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling↗2020-02-25