CVE-2020-1935 - Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0101.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Tomcat
Canonical	Ubuntu Linux
Debian	Debian Linux
Netapp	Data Availability Services Oncommand System Manager
Opensuse	Leap
Oracle	Agile Engineering Data Management Agile Product Lifecycle Management Communications Element Manager Communications Instant Messaging Server Health Sciences Empirica Inspections Health Sciences Empirica Signal Hospitality Guest Access Hyperion Infrastructure Technology Instantis Enterprisetrack Mysql Enterprise Monitor Retail Order Broker Siebel Ui Framework Transportation Management Workload Manager
Redhat	Enterprise Linux Jboss Enterprise Web Server Jboss Fuse Openshift Application Runtimes Rhel Eus

Configuration 1 [-]

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:9.0.0:-::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 3 [-]

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Configuration 4 [-]

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 5 [-]

OR	cpe:2.3:a:netapp:data_availability_services:-:::::::*
	cpe:2.3:a:netapp:oncommand_system_manager::::::::

Configuration 6 [-]

OR	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
	cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:::::::*
	cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.1.1:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.2.0:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.2.1:::::::*
	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:::::::*
	cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
	cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack::::::::
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
	cpe:2.3:a:oracle:siebel_ui_framework::::::::
	cpe:2.3:a:oracle:transportation_management:6.3.7:::::::*
	cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::*
	cpe:2.3:a:oracle:workload_manager:18c:::::::*
	cpe:2.3:a:oracle:workload_manager:19c:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
tomcat-0:7.0.76-16.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:5020	2020-11-10T00:00:00Z
Red Hat Enterprise Linux 7.6 Extended Update Support
tomcat-0:7.0.76-11.el7_6	cpe:/o:redhat:rhel_eus:7.6	RHSA-2021:0882	2021-03-16T00:00:00Z
Red Hat Enterprise Linux 7.7 Extended Update Support
tomcat-0:7.0.76-12.el7_7	cpe:/o:redhat:rhel_eus:7.7	RHSA-2021:1030	2021-03-30T00:00:00Z
Red Hat Enterprise Linux 8
pki-core:10.6-8030020200911215836.5ff1562f	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:4847	2020-11-04T00:00:00Z
pki-deps:10.6-8030020200527165326.30b713e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:4847	2020-11-04T00:00:00Z
Red Hat Fuse 7.9
tomcat	cpe:/a:redhat:jboss_fuse:7	RHSA-2021:3140	2021-08-11T00:00:00Z
Red Hat JBoss Web Server 3.1
tomcat	cpe:/a:redhat:jboss_enterprise_web_server:3.1	RHSA-2020:3305	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 3 for RHEL 6
tomcat7-0:7.0.70-41.ep7.el6	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6	RHSA-2020:3303	2020-08-04T00:00:00Z
tomcat8-0:8.0.36-45.ep7.el6	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6	RHSA-2020:3303	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 3 for RHEL 7
tomcat7-0:7.0.70-41.ep7.el7	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7	RHSA-2020:3303	2020-08-04T00:00:00Z
tomcat8-0:8.0.36-45.ep7.el7	cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7	RHSA-2020:3303	2020-08-04T00:00:00Z
Red Hat JBoss Web Server 5.3 on RHEL 6
jws5-tomcat-0:9.0.30-3.redhat_4.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6	RHSA-2020:1520	2020-04-21T00:00:00Z
jws5-tomcat-native-0:1.2.23-4.redhat_4.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6	RHSA-2020:1520	2020-04-21T00:00:00Z
Red Hat JBoss Web Server 5.3 on RHEL 7
jws5-tomcat-0:9.0.30-3.redhat_4.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7	RHSA-2020:1520	2020-04-21T00:00:00Z
jws5-tomcat-native-0:1.2.23-4.redhat_4.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7	RHSA-2020:1520	2020-04-21T00:00:00Z
Red Hat JBoss Web Server 5.3 on RHEL 8
jws5-tomcat-0:9.0.30-3.redhat_4.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8	RHSA-2020:1520	2020-04-21T00:00:00Z
jws5-tomcat-native-0:1.2.23-4.redhat_4.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8	RHSA-2020:1520	2020-04-21T00:00:00Z
Red Hat JBoss Web Server (JWS) 5.3
tomcat	cpe:/a:redhat:jboss_enterprise_web_server:5.3	RHSA-2020:1521	2020-04-21T00:00:00Z
Red Hat Runtimes Spring Boot 2.1.13
tomcat	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2020:2367	2020-06-04T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-2133-1	tomcat7 security update
Debian DLA	DLA-2209-1	tomcat8 security update
Debian DSA	DSA-4673-1	tomcat8 security update
Debian DSA	DSA-4680-1	tomcat9 security update
EUVD	EUVD-2020-0311	In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
Github GHSA	GHSA-qxf4-chvg-4r8r	Potential HTTP request smuggling in Apache Tomcat
Ubuntu USN	USN-4448-1	Tomcat vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
https://nvd.nist.gov/vuln/detail/CVE-2020-1935
https://security.netapp.com/advisory/ntap-20200327-0005/
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
https://usn.ubuntu.com/4448-1/
https://www.cve.org/CVERecord?id=CVE-2020-1935
https://www.debian.org/security/2020/dsa-4673
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2020-02-24T21:11:38

Updated: 2024-08-04T06:53:59.921Z

Reserved: 2019-12-02T00:00:00

Link: CVE-2020-1935

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-02-24T22:15:11.980

Modified: 2024-11-21T05:11:38.730

Link: CVE-2020-1935

Redhat

Severity : Low

Publid Date: 2020-02-24T00:00:00Z

Links: CVE-2020-1935 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object