Moderate severityNVD Advisory· Published Feb 24, 2020· Updated Aug 5, 2024
CVE-2019-17569
CVE-2019-17569
Description
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 7.0.98, < 7.0.100 | 7.0.100 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.48, < 8.5.51 | 8.5.51 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.28, < 9.0.31 | 9.0.31 |
org.apache.tomcat:tomcatMaven | >= 7.0.98, < 7.0.100 | 7.0.100 |
org.apache.tomcat:tomcatMaven | >= 8.5.48, < 8.5.51 | 8.5.51 |
org.apache.tomcat:tomcatMaven | >= 9.0.28, < 9.0.31 | 9.0.31 |
Affected products
28- ghsa-coords27 versionspkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
>= 7.0.98, < 7.0.100+ 26 more
- (no CPE)range: >= 7.0.98, < 7.0.100
- (no CPE)range: >= 7.0.98, < 7.0.100
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.31-lp151.3.12.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 9.0.31-4.22.1
- (no CPE)range: < 8.0.53-10.43.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 8.0.53-10.43.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- Apache/Apache Tomcatv5Range: Apache Tomcat 9.0.28 to 9.0.30
Patches
Vulnerability mechanics
References
16- lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-767j-jfh2-jvrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17569ghsaADVISORY
- www.debian.org/security/2020/dsa-4673ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2020/dsa-4680ghsavendor-advisoryx_refsource_DEBIANWEB
- lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/03/msg00006.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20200327-0005ghsaWEB
- security.netapp.com/advisory/ntap-20200327-0005/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.