Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2020-1935

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVSS v3:

  • Severity: Low
  • Score: 4.8
  • AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

  • Severity: Medium
  • Score: 5.8
  • AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

Software From Fixed in
apache / tomcat 9.0.0-milestone1 9.0.0-milestone1.x
apache / tomcat 9.0.0-milestone10 9.0.0-milestone10.x
apache / tomcat 9.0.0-milestone11 9.0.0-milestone11.x
apache / tomcat 9.0.0-milestone12 9.0.0-milestone12.x
apache / tomcat 9.0.0-milestone13 9.0.0-milestone13.x
apache / tomcat 9.0.0-milestone14 9.0.0-milestone14.x
apache / tomcat 9.0.0-milestone15 9.0.0-milestone15.x
apache / tomcat 9.0.0-milestone16 9.0.0-milestone16.x
apache / tomcat 9.0.0-milestone17 9.0.0-milestone17.x
apache / tomcat 9.0.0-milestone18 9.0.0-milestone18.x
apache / tomcat 9.0.0-milestone19 9.0.0-milestone19.x
apache / tomcat 9.0.0-milestone2 9.0.0-milestone2.x
apache / tomcat 9.0.0-milestone20 9.0.0-milestone20.x
apache / tomcat 9.0.0-milestone21 9.0.0-milestone21.x
apache / tomcat 9.0.0-milestone22 9.0.0-milestone22.x
apache / tomcat 9.0.0-milestone23 9.0.0-milestone23.x
apache / tomcat 9.0.0-milestone24 9.0.0-milestone24.x
apache / tomcat 9.0.0-milestone25 9.0.0-milestone25.x
apache / tomcat 9.0.0-milestone26 9.0.0-milestone26.x
apache / tomcat 9.0.0-milestone27 9.0.0-milestone27.x
apache / tomcat 9.0.0-milestone3 9.0.0-milestone3.x
apache / tomcat 9.0.0-milestone4 9.0.0-milestone4.x
apache / tomcat 9.0.0-milestone5 9.0.0-milestone5.x
apache / tomcat 9.0.0-milestone6 9.0.0-milestone6.x
apache / tomcat 9.0.0-milestone7 9.0.0-milestone7.x
apache / tomcat 9.0.0-milestone8 9.0.0-milestone8.x
apache / tomcat 9.0.0-milestone9 9.0.0-milestone9.x
apache / tomcat 7.0.0 7.0.99.x
apache / tomcat 8.5.0 8.5.50.x
apache / tomcat 9.0.0 9.0.30.x
apache / tomcat 9.0.0 9.0.0.x
debian / debian_linux 8.0 8.0.x
debian / debian_linux 9.0 9.0.x
debian / debian_linux 10.0 10.0.x
canonical / ubuntu_linux 16.04 16.04.x
opensuse / leap 15.1 15.1.x
netapp / oncommand_system_manager 3.0.0 3.1.3.x
oracle / transportation_management 6.3.7 6.3.7.x
oracle / hospitality_guest_access 4.2.0 4.2.0.x
oracle / hospitality_guest_access 4.2.1 4.2.1.x
oracle / retail_order_broker 15.0 15.0.x
oracle / agile_product_lifecycle_management 9.3.3 9.3.3.x
oracle / agile_product_lifecycle_management 9.3.5 9.3.5.x
oracle / agile_product_lifecycle_management 9.3.6 9.3.6.x
oracle / instantis_enterprisetrack 17.1 17.3.x
oracle / health_sciences_empirica_signal 7.3.3 7.3.3.x
oracle / communications_instant_messaging_server 10.0.1.4.0 10.0.1.4.0.x
oracle / communications_element_manager 8.2.0 8.2.0.x
oracle / communications_element_manager 8.2.1 8.2.1.x
oracle / communications_element_manager 8.1.1 8.1.1.x
oracle / workload_manager 18c 18c.x
oracle / workload_manager 19c 19c.x
oracle / workload_manager 12.2.0.1 12.2.0.1.x
oracle / hyperion_infrastructure_technology 11.1.2.4 11.1.2.4.x
oracle / mysql_enterprise_monitor 8.0.0 8.0.20.x
oracle / agile_engineering_data_management 6.2.1.0 6.2.1.0.x
oracle / siebel_ui_framework - 20.5.x
oracle / health_sciences_empirica_inspections 1.0.1.2 1.0.1.2.x
oracle / mysql_enterprise_monitor 4.0.0 4.0.12.x
org.apache.tomcat.embed / tomcat-embed-core - 7.0.100
org.apache.tomcat.embed / tomcat-embed-core 8.0.0 8.5.51
org.apache.tomcat.embed / tomcat-embed-core 9.0.0 9.0.31
org.apache.tomcat / tomcat - 7.0.100
org.apache.tomcat / tomcat 8.0.0 8.5.51
org.apache.tomcat / tomcat 9.0.0 9.0.31