Moderate severityNVD Advisory· Published Feb 24, 2020· Updated Aug 4, 2024
CVE-2020-1935
CVE-2020-1935
Description
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | < 7.0.100 | 7.0.100 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.0.0, < 8.5.51 | 8.5.51 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0, < 9.0.31 | 9.0.31 |
org.apache.tomcat:tomcatMaven | < 7.0.100 | 7.0.100 |
org.apache.tomcat:tomcatMaven | >= 8.0.0, < 8.5.51 | 8.5.51 |
org.apache.tomcat:tomcatMaven | >= 9.0.0, < 9.0.31 | 9.0.31 |
Affected products
28- osv-coords27 versionspkg:apk/chainguard/spark-3.5.0-compatpkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcatpkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 3.5.0-r2+ 26 more
- (no CPE)range: < 3.5.0-r2
- (no CPE)range: >= 7.0.0, < 7.0.100
- (no CPE)range: < 7.0.100
- (no CPE)range: < 7.0.100
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.31-lp151.3.12.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 9.0.31-4.22.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.25.1
- (no CPE)range: < 9.0.31-3.42.2
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- (no CPE)range: < 8.0.53-29.37.1
- Apache/Apache Tomcatv5Range: Apache Tomcat 9.0.0.M1 to 9.0.30
Patches
Vulnerability mechanics
References
31- lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-qxf4-chvg-4r8rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1935ghsaADVISORY
- usn.ubuntu.com/4448-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4673ghsavendor-advisoryx_refsource_DEBIANWEB
- www.debian.org/security/2020/dsa-4680ghsavendor-advisoryx_refsource_DEBIANWEB
- lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/03/msg00006.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2020/05/msg00026.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20200327-0005ghsaWEB
- security.netapp.com/advisory/ntap-20200327-0005/mitrex_refsource_CONFIRM
- usn.ubuntu.com/4448-1ghsaWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.