CVE-2019-17569 - incorrect transfer-encoding handling

Severity

4.8

A refactoring in Tomcat introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Project

Apache Tomcat & Apache TomEE

Versions affected

Apache Tomcat

Tomcat 6.x
All
Tomcat 7.x
7.0.0 to 7.0.99
Tomcat 8.0.x
All
Tomcat 8.5.x
8.5.0 to 8.5.50
Tomcat 9.x
9.0.0.M1 to 9.0.0.30

Apache TomEE

TomEE 1.7.x
All
TomEE 7.0.x
7.0.0-M1 to 7.0.7
TomEE 7.1.x
7.1.0 to 7.1.2
TomEE 8.0.x
8.0.0-M1 to 8.0.1
Feel Vulnerable? 

Contact us so we can help you.


* These fields are required.