CVE-2020-1935

Description

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

How to fix CVE-2020-1935

To remediate CVE-2020-1935, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.100 or later
• —upgrade to 9.0.31-1 or later
• —upgrade to 7.0.100 or later
• —upgrade to 7.0.100 or later

Is CVE-2020-1935 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 7.0.0, < 7.0.100, >= 8.5.0, < 8.5.51, >= 9.0.0, < 9.0.31
• from 0, < 9.0.31-1
• from 0, < 7.0.100
• from 0, < 7.0.100

CVSS scores

References (31)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-1935
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-1935
• WEBlists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
• WEBlists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E