Vulnerability Details : CVE-2019-17569
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
Products affected by CVE-2019-17569
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomee:7.0.7:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 8.0.0 and up to, including, (<=) 8.0.20cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
- Oracle » Instantis EnterprisetrackVersions from including (>=) 17.1 and up to, including, (<=) 17.3cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- Netapp » Oncommand System ManagerVersions from including (>=) 3.0.0 and up to, including, (<=) 3.1.3cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:*
Threat overview for CVE-2019-17569
Top countries where our scanners detected CVE-2019-17569
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-17569 15,865
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-17569!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-17569
9.93%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17569
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
|
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
2.2
|
2.5
|
NIST |
CWE ids for CVE-2019-17569
-
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17569
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E
[jira] [Created] (TOMEE-2790) TomEE plus(7.0.7) is affected by CVE-2020-1935 & CVE-2019-17569 vulnerabilities - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4680
Debian -- Security Information -- DSA-4680-1 tomcat9Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
[SECURITY] [DLA 2133-1] tomcat7 security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2020/dsa-4673
Debian -- Security Information -- DSA-4673-1 tomcat8Third Party Advisory
-
https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E
[SECURITY] CVE-2019-17569 HTTP Request Smuggling - Pony MailMailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20200327-0005/
February 2020 Apache Tomcat Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E
[jira] [Commented] (TOMEE-2790) TomEE plus(7.0.7) is affected by CVE-2020-1935 & CVE-2019-17569 vulnerabilities - Pony MailMailing List;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
[security-announce] openSUSE-SU-2020:0345-1: important: Security updateMailing List;Third Party Advisory
Jump to