CVE-2019-17569

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVSS v3 4.8 MEDIUM
CVSS v2.0 5.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20200327-0005/	Third Party Advisory
https://www.debian.org/security/2020/dsa-4673	Third Party Advisory
https://www.debian.org/security/2020/dsa-4680	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomee:7.0.7:::::::*

Configuration 2 (hide)

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:a:netapp:data_availability_services:-:::::::*
	cpe:2.3:a:netapp:oncommand_system_manager::::::::

Configuration 4 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack::::::::
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:transportation_management:6.3.7:::::::*
	cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::*
	cpe:2.3:a:oracle:workload_manager:18c:::::::*
	cpe:2.3:a:oracle:workload_manager:19c:::::::*

History

07 Nov 2023, 03:06

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20200320 [jira] [Created] (TOMEE-2790) TomEE plus(7.0.7) is affected by CVE-2020-1935 & CVE-2019-17569 vulnerabilities', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E', 'name': '[tomee-commits] 20200323 [jira] [Commented] (TOMEE-2790) TomEE plus(7.0.7) is affected by CVE-2020-1935 & CVE-2019-17569 vulnerabilities', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E - () https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E -

02 Sep 2022, 15:30

Type	Values Removed	Values Added
First Time		Oracle agile Plm Oracle hospitality Guest Access Apache tomee Opensuse leap Oracle communications Instant Messaging Server Debian debian Linux Netapp Oracle mysql Enterprise Monitor Oracle health Sciences Empirica Inspections Netapp data Availability Services Oracle instantis Enterprisetrack Oracle health Sciences Empirica Signal Debian Opensuse Oracle transportation Management Netapp oncommand System Manager Oracle agile Engineering Data Management Oracle Oracle workload Manager
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2020.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20200327-0005/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20200327-0005/ - Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html - Third Party Advisory~~	(MLIST) https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html - Mailing List, Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2020/dsa-4680 -~~	(DEBIAN) https://www.debian.org/security/2020/dsa-4680 - Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2020/dsa-4673 -~~	(DEBIAN) https://www.debian.org/security/2020/dsa-4673 - Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E - Mailing List, Vendor Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E - Mailing List, Vendor Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpujul2020.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory
References	~~(SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html -~~	(SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html - Mailing List, Third Party Advisory
CPE		cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::* cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::* cpe:2.3:o:opensuse:leap:15.1:::::::* cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:::::::* cpe:2.3:a:oracle:workload_manager:19c:::::::* cpe:2.3:a:oracle:agile_plm:9.3.3:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:oracle:workload_manager:18c:::::::* cpe:2.3:a:apache:tomee:7.0.7:::::::* cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::* cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:::::::* cpe:2.3:a:netapp:data_availability_services:-:::::::* cpe:2.3:a:oracle:instantis_enterprisetrack:::::::: cpe:2.3:a:oracle:agile_plm:9.3.5:::::::* cpe:2.3:a:oracle:mysql_enterprise_monitor:::::::: cpe:2.3:a:netapp:oncommand_system_manager:::::::: cpe:2.3:a:oracle:transportation_management:6.3.7:::::::* cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::* cpe:2.3:a:oracle:agile_plm:9.3.6:::::::* cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:::::::*

20 Jan 2021, 15:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2021.html -

Information

Published : 2020-02-24 22:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-17569

Mitre link : CVE-2019-17569

CVE.ORG link : CVE-2019-17569

JSON object : View

Products Affected

oracle

health_sciences_empirica_inspections
transportation_management
hospitality_guest_access
agile_engineering_data_management
mysql_enterprise_monitor
communications_instant_messaging_server
instantis_enterprisetrack
health_sciences_empirica_signal
workload_manager
agile_plm

apache

tomcat
tomee

netapp

oncommand_system_manager
data_availability_services

opensuse

leap

debian

debian_linux

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

4.8 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.8 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-17569

4.8^/10

5.8^/10

Attach tags to `CVE-2019-17569`