CVE-2019-17569 — MEDIUM (4.8)

Q: How severe is CVE-2019-17569?

CVE-2019-17569 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-17569?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Apache Tomee, Opensuse Leap, Netapp Data Availability Services, Netapp Oncommand System Manager.

Vulnerability Description

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Tomcat	>= 7.0.98, <= 7.0.99
Apache	Tomee	7.0.7
Opensuse	Leap	15.1
Netapp	Data Availability Services	-
Netapp	Oncommand System Manager	>= 3.0.0, <= 3.1.3
Debian	Debian Linux	9.0
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Agile Plm	9.3.3
Oracle	Communications Instant Messaging Server	10.0.1.4.0
Oracle	Health Sciences Empirica Inspections	1.0.1.2
Oracle	Health Sciences Empirica Signal	7.3.3
Oracle	Hospitality Guest Access	4.2.0
Oracle	Instantis Enterprisetrack	>= 17.1, <= 17.3
Oracle	Mysql Enterprise Monitor	<= 4.0.12
Oracle	Transportation Management	6.3.7
Oracle	Workload Manager	12.2.0.1

Related Weaknesses (CWE)

CWE-444

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlMailing ListThird Party Advisory
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15e
https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813Mailing ListVendor Advisory
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a392
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20200327-0005/Third Party Advisory
https://www.debian.org/security/2020/dsa-4673Third Party Advisory
https://www.debian.org/security/2020/dsa-4680Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlMailing ListThird Party Advisory
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15e
https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813Mailing ListVendor Advisory
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a392

FAQ

What is CVE-2019-17569?

CVE-2019-17569 is a vulnerability with a CVSS score of 4.8 (MEDIUM). The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were i...

How severe is CVE-2019-17569?

CVE-2019-17569 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-17569?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Apache Tomee, Opensuse Leap, Netapp Data Availability Services, Netapp Oncommand System Manager.