CVE-2020-1935

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-1935
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-1935.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-1935
Aliases
Downstream
Related
Published
2020-02-24T22:15:11.980Z
Modified
2026-05-15T12:56:35.958019773Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"
            ],
            "vendor_product": "canonical:ubuntu_linux",
            "extracted_events": [
                {
                    "last_affected": "16.04"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "debian:debian_linux",
            "extracted_events": [
                {
                    "last_affected": "8.0"
                },
                {
                    "last_affected": "9.0"
                },
                {
                    "last_affected": "10.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "netapp:oncommand_system_manager",
            "extracted_events": [
                {
                    "introduced": "3.0.0"
                },
                {
                    "last_affected": "3.1.3"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "opensuse:leap",
            "extracted_events": [
                {
                    "last_affected": "15.1"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:agile_engineering_data_management",
            "extracted_events": [
                {
                    "last_affected": "6.2.1.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:agile_product_lifecycle_management",
            "extracted_events": [
                {
                    "last_affected": "9.3.3"
                },
                {
                    "last_affected": "9.3.5"
                },
                {
                    "last_affected": "9.3.6"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_element_manager",
            "extracted_events": [
                {
                    "last_affected": "8.1.1"
                },
                {
                    "last_affected": "8.2.0"
                },
                {
                    "last_affected": "8.2.1"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:communications_instant_messaging_server",
            "extracted_events": [
                {
                    "last_affected": "10.0.1.4.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:health_sciences_empirica_inspections",
            "extracted_events": [
                {
                    "last_affected": "1.0.1.2"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:health_sciences_empirica_signal",
            "extracted_events": [
                {
                    "last_affected": "7.3.3"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:hospitality_guest_access",
            "extracted_events": [
                {
                    "last_affected": "4.2.0"
                },
                {
                    "last_affected": "4.2.1"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:hyperion_infrastructure_technology",
            "extracted_events": [
                {
                    "last_affected": "11.1.2.4"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:instantis_enterprisetrack",
            "extracted_events": [
                {
                    "introduced": "17.1"
                },
                {
                    "last_affected": "17.3"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:mysql_enterprise_monitor",
            "extracted_events": [
                {
                    "introduced": "4.0.0"
                },
                {
                    "last_affected": "4.0.12"
                },
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.0.20"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:retail_order_broker",
            "extracted_events": [
                {
                    "last_affected": "15.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:siebel_ui_framework",
            "extracted_events": [
                {
                    "last_affected": "20.5"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:transportation_management",
            "extracted_events": [
                {
                    "last_affected": "6.3.7"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpes": [
                "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*",
                "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*"
            ],
            "vendor_product": "oracle:workload_manager",
            "extracted_events": [
                {
                    "last_affected": "12.2.0.1"
                },
                {
                    "last_affected": "18c"
                },
                {
                    "last_affected": "19c"
                }
            ]
        }
    ]
}
References

Affected packages