vulnerability
Red Hat: CVE-2020-1935: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | 2020-02-24 | 2020-11-11 | 2024-11-26 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
2020-02-24
Added
2020-11-11
Modified
2024-11-26
Description
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
Solution(s)
redhat-upgrade-apache-commons-collectionsredhat-upgrade-apache-commons-langredhat-upgrade-apache-commons-netredhat-upgrade-bea-stax-apiredhat-upgrade-glassfish-fastinfosetredhat-upgrade-glassfish-jaxb-apiredhat-upgrade-glassfish-jaxb-coreredhat-upgrade-glassfish-jaxb-runtimeredhat-upgrade-glassfish-jaxb-txw2redhat-upgrade-jackson-annotationsredhat-upgrade-jackson-coreredhat-upgrade-jackson-databindredhat-upgrade-jackson-jaxrs-json-providerredhat-upgrade-jackson-jaxrs-providersredhat-upgrade-jackson-module-jaxb-annotationsredhat-upgrade-jakarta-commons-httpclientredhat-upgrade-javassistredhat-upgrade-javassist-javadocredhat-upgrade-jssredhat-upgrade-jss-debuginforedhat-upgrade-jss-debugsourceredhat-upgrade-jss-javadocredhat-upgrade-ldapjdkredhat-upgrade-ldapjdk-javadocredhat-upgrade-pki-baseredhat-upgrade-pki-base-javaredhat-upgrade-pki-caredhat-upgrade-pki-core-debuginforedhat-upgrade-pki-core-debugsourceredhat-upgrade-pki-kraredhat-upgrade-pki-serverredhat-upgrade-pki-servlet-4-0-apiredhat-upgrade-pki-servlet-engineredhat-upgrade-pki-symkeyredhat-upgrade-pki-symkey-debuginforedhat-upgrade-pki-toolsredhat-upgrade-pki-tools-debuginforedhat-upgrade-python-nss-debugsourceredhat-upgrade-python-nss-docredhat-upgrade-python3-nssredhat-upgrade-python3-nss-debuginforedhat-upgrade-python3-pkiredhat-upgrade-relaxngdatatyperedhat-upgrade-resteasyredhat-upgrade-slf4jredhat-upgrade-slf4j-jdk14redhat-upgrade-stax-exredhat-upgrade-tomcatredhat-upgrade-tomcat-admin-webappsredhat-upgrade-tomcat-docs-webappredhat-upgrade-tomcat-el-2-2-apiredhat-upgrade-tomcat-javadocredhat-upgrade-tomcat-jsp-2-2-apiredhat-upgrade-tomcat-jsvcredhat-upgrade-tomcat-libredhat-upgrade-tomcat-servlet-3-0-apiredhat-upgrade-tomcat-webappsredhat-upgrade-tomcatjssredhat-upgrade-velocityredhat-upgrade-xalan-j2redhat-upgrade-xerces-j2redhat-upgrade-xml-commons-apisredhat-upgrade-xml-commons-resolverredhat-upgrade-xmlstreambufferredhat-upgrade-xsom
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.