2020-02-24 23:15:00 2020-05-28 22:15:00

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

NONE
Apache Tomcat 9.0.0 Milestone9 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone8 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone7 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone6 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone5 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone4 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone3 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone27 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone26 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone25 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone24 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone23 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone22 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone21 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone20 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone2 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone19 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone18 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone16 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone17 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone15 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone14 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone13 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone12 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone11 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone10 * * (not an official CPE) Apache Tomcat 9.0.0 Milestone1 * * (not an official CPE) Apache Tomcat 9.0.0 - * * (not an official CPE) Apache Tomcat * * * * (not an official CPE) Apache Tomcat * * * * (not an official CPE) Apache Tomcat * * * * (not an official CPE)