CVE-2019-17569
- Source
- https://cve.org/CVERecord?id=CVE-2019-17569
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17569.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-17569
- Aliases
- Downstream
- Related
- Published
- 2020-02-24T22:15:11.903Z
- Modified
- 2026-04-02T02:04:27.872538Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
- References
-
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
- https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
- https://www.debian.org/security/2020/dsa-4680
- https://security.netapp.com/advisory/ntap-20200327-0005/
- https://www.debian.org/security/2020/dsa-4673
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
Affected packages
Git / github.com/apache/tomcat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/tomcat
- Events
-
IntroducedLast affectedIntroducedLast affectedIntroducedLast affected
- Database specific
{ "versions": [ { "introduced": "7.0.98" }, { "last_affected": "7.0.99" }, { "introduced": "8.5.48" }, { "last_affected": "8.5.50" }, { "introduced": "9.0.28" }, { "last_affected": "9.0.30" } ] }
- Type
- GIT
- Repo
- https://github.com/apache/tomee
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "7.0.7" }, { "introduced": "0" }, { "last_affected": "9.0" }, { "introduced": "0" }, { "last_affected": "10.0" } ] }
Affected versions
1.*
1.6.0.3-TT.10
1.7.4-TT.1
7.*
7.0.6-TT.7
7.0.98
8.*
8.0.0-TT.1
8.5.48
9.*
9.0.28
openejb-4.*
openejb-4.7.2
openejb-4.7.5-TT.1
openejb-4.7.5-TT.7
tomee-1.*
tomee-1.0.0
tomee-1.0.0-beta-1
tomee-1.0.0-beta-2
tomee-1.5.0
tomee-1.5.1
tomee-1.5.2
tomee-1.6.0
tomee-1.6.0.1
tomee-1.6.0.2
tomee-1.6.0.3-TT.10
tomee-1.6.0.3-TT.11
tomee-1.6.0.3-TT.13
tomee-1.6.0.3-TT.14
tomee-1.6.0.3-TT.15
tomee-1.6.0.3-TT.16
tomee-1.6.0.3-TT.19
tomee-1.6.0.3-TT.2
tomee-1.6.0.3-TT.23
tomee-1.6.0.3-TT.24
tomee-1.6.0.3-TT.4
tomee-1.6.0.3-TT.5
tomee-1.6.0.3-TT.6
tomee-1.6.0.3-TT.7
tomee-1.6.0.3-tt.18
tomee-1.7.0
tomee-1.7.1
tomee-1.7.2
tomee-1.7.2-TT.1
tomee-1.7.2-TT.2
tomee-1.7.2-TT.3
tomee-1.7.3
tomee-1.7.3-TT.1
tomee-1.7.3-TT.2
tomee-1.7.3-TT.3
tomee-1.7.3-TT.4
tomee-1.7.4
tomee-1.7.4-SP.1
tomee-1.7.4-SP.2
tomee-1.7.4-SP.3
tomee-1.7.4-SP.4
tomee-1.7.4-SP.5
tomee-1.7.4-SP.7
tomee-1.7.4-TT.1
tomee-1.7.4-sp.6
tomee-1.7.5
tomee-1.7.5-TT.14
tomee-1.7.5-TT.15
tomee-1.7.5-TT.16
tomee-1.7.5-TT.17
tomee-1.7.5-TT.18
tomee-1.7.5-TT.3
tomee-1.7.5-TT.6
tomee-1.7.5-TT.7
tomee-1.7.5-TT.8
tomee-1.7.5-TT.9
tomee-1.7.6-TT.10
tomee-1.7.6-TT.11
tomee-1.7.6-TT.13
tomee-1.7.6-TT.16
tomee-1.7.6-TT.17
tomee-1.7.6-TT.3
tomee-1.7.6-TT.4
tomee-1.7.6-TT.5
tomee-1.7.6-TT.6
tomee-1.7.6-TT.7
tomee-1.7.6-TT.8
tomee-1.7.6-TT.9
tomee-1.7.6-tt.12
tomee-4.*
tomee-4.6.0.3-TT.1
tomee-7.*
tomee-7.0.0
tomee-7.0.0-M1
tomee-7.0.0-M2
tomee-7.0.0-M3
tomee-7.0.1
tomee-7.0.2
tomee-7.0.3
tomee-7.0.4
tomee-7.0.4-TT.1
tomee-7.0.4-TT.2
tomee-7.0.5
tomee-7.0.5-TT.2
tomee-7.0.5-TT.3
tomee-7.0.5-TT.4
tomee-7.0.6
tomee-7.0.6-TT.2
tomee-7.0.6-TT.5
tomee-7.0.6-TT.7
tomee-7.0.7
tomee-7.1.0
tomee-7.1.0-TT.1
tomee-7.1.1
tomee-7.1.1-TT.2
tomee-7.1.1-TT.4
tomee-7.1.2
tomee-7.1.2-TT.2
tomee-7.1.2-TT.3
tomee-7.1.2-TT.4
tomee-7.1.3
tomee-7.1.4
tomee-8.*
tomee-8.0.0
tomee-8.0.0-M1
tomee-8.0.0-M2
tomee-8.0.0-M3
tomee-8.0.1
tomee-8.0.2
tomee-8.0.5
tomee-8.0.6
tomee-project-7.*
tomee-project-7.1.5
tomee-project-8.*
tomee-project-8.0.1-TT.1
tomee-project-8.0.1-TT.2
tomee-project-8.0.10
tomee-project-8.0.11
tomee-project-8.0.12
tomee-project-8.0.13
tomee-project-8.0.14
tomee-project-8.0.15
tomee-project-8.0.16
tomee-project-8.0.3
tomee-project-8.0.4
tomee-project-8.0.7
tomee-project-8.0.8
tomee-project-8.0.9
tomee-project-9.*
tomee-project-9.0.0
tomee-project-9.0.0-M8
tomee-project-9.0.0.RC1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17569.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.1"
}
]
},
{
"events": [
{
"introduced": "3.0.0"
},
{
"last_affected": "3.1.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.2.1.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.3.6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0.1.4.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.3.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.2.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.2.1"
}
]
},
{
"events": [
{
"introduced": "17.1"
},
{
"last_affected": "17.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0.12"
}
]
},
{
"events": [
{
"introduced": "8.0.0"
},
{
"last_affected": "8.0.20"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.3.7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18c"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19c"
}
]
}
]