CVE-2019-17569

CVE	CVE-2019-17569
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-02-24 22:15:00 UTC
Updated	2023-11-07 03:06:00 UTC
Description	The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Problem Types: CWE-444

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomee	7.0.7	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Netapp	Data Availability Services	-	All	All	All
Application	Netapp	Oncommand System Manager	All	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Agile Engineering Data Management	6.2.1.0	All	All	All
Application	Oracle	Agile Plm	9.3.3	All	All	All
Application	Oracle	Agile Plm	9.3.5	All	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Communications Instant Messaging Server	10.0.1.4.0	All	All	All
Application	Oracle	Health Sciences Empirica Inspections	1.0.1.2	All	All	All
Application	Oracle	Health Sciences Empirica Signal	7.3.3	All	All	All
Application	Oracle	Hospitality Guest Access	4.2.0	All	All	All
Application	Oracle	Hospitality Guest Access	4.2.1	All	All	All
Application	Oracle	Instantis Enterprisetrack	All	All	All	All
Application	Oracle	Mysql Enterprise Monitor	All	All	All	All
Application	Oracle	Mysql Enterprise Monitor	All	All	All	All
Application	Oracle	Transportation Management	6.3.7	All	All	All
Application	Oracle	Workload Manager	12.2.0.1	All	All	All
Application	Oracle	Workload Manager	18c	All	All	All
Application	Oracle	Workload Manager	19c	All	All	All

Reference	Source	Link	Tags
February 2020 Apache Tomcat Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - July 2020	MISC	www.oracle.com
[SECURITY] [DLA 2133-1] tomcat7 security update	MLIST	lists.debian.org	Third Party Advisory
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org	Mailing List, Vendor Advisory
[security-announce] openSUSE-SU-2020:0345-1: important: Security update	SUSE	lists.opensuse.org
Debian -- Security Information -- DSA-4673-1 tomcat8	DEBIAN	www.debian.org
Pony Mail!		lists.apache.org
Debian -- Security Information -- DSA-4680-1 tomcat9	DEBIAN	www.debian.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

20277 Oracle Database 18c Critical OJVM Patch Update - July 2020
20281 Oracle Database 19c Critical OJVM Patch Update - July 2020
20292 Oracle Database 12.2.0.1 Critical OJVM Patch Update - July 2020
356190 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-012
730112 Atlassian Jira Component Apache Tomcat Hypertext Transfer Protocol (HTTP) Request Smuggling Vulnerability (JRASERVER-70993)
730434 Update TITLE manually (JRASERVER-70487)
730441 Atlassian Jira Local Privilege Escalation Vulnerability (JRASERVER-70487)
730449 (JRASERVER-70487)
730510 Atlassian Jira Remote Code Execution (RCE) Vulnerability (JRASERVER-73223)
981583 Java (maven) Security Update for org.apache.tomcat:tomcat (GHSA-767j-jfh2-jvrc)