In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
07 Nov 2023, 03:19
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
04 May 2021, 19:19
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* |
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:* |
References | (MISC) https://www.oracle.com/security-alerts/cpujul2020.html - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E - Mailing List, Vendor Advisory | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html - Broken Link, Mailing List, Third Party Advisory |
28 Apr 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Feb 2021, 16:43
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Third Party Advisory | |
CPE | cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:* |
20 Jan 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-02-24 22:15
Updated : 2023-12-10 13:13
NVD link : CVE-2020-1935
Mitre link : CVE-2020-1935
CVE.ORG link : CVE-2020-1935
JSON object : View
Products Affected
oracle
- health_sciences_empirica_inspections
- communications_element_manager
- instantis_enterprisetrack
- agile_engineering_data_management
- hyperion_infrastructure_technology
- agile_product_lifecycle_management
- siebel_ui_framework
- transportation_management
- mysql_enterprise_monitor
- health_sciences_empirica_signal
- retail_order_broker
- hospitality_guest_access
- workload_manager
- communications_instant_messaging_server
netapp
- data_availability_services
- oncommand_system_manager
debian
- debian_linux
apache
- tomcat
opensuse
- leap
canonical
- ubuntu_linux
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')