{"id":"CVE-2019-17569","details":"The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.","aliases":["GHSA-767j-jfh2-jvrc"],"modified":"2026-04-02T02:04:27.872538Z","published":"2020-02-24T22:15:11.903Z","related":["MGASA-2020-0138","SUSE-SU-2020:0598-1","SUSE-SU-2020:0631-1","SUSE-SU-2020:0632-1","SUSE-SU-2020:1497-1","SUSE-SU-2020:1498-1","openSUSE-SU-2020:0345-1","openSUSE-SU-2024:11468-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4680"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200327-0005/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4673"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"fde40d7e0c7a1b0b2423cb84ad220a5d98b65591"},{"last_affected":"a94a0258f36d064aa032608a9e99c62018f22d94"},{"introduced":"35174cb9cfa4cf3d608db77485043af42cf92c8c"},{"last_affected":"c40ede65ea4fb44b1957ec482f28c7afa71f1b50"},{"introduced":"7c14efedba0cc81319efacb0e7f5129804e7b6f9"},{"last_affected":"4fab4cc012d0c31852e957d198cb0549f3d6074c"}],"database_specific":{"versions":[{"introduced":"7.0.98"},{"last_affected":"7.0.99"},{"introduced":"8.5.48"},{"last_affected":"8.5.50"},{"introduced":"9.0.28"},{"last_affected":"9.0.30"}]}},{"type":"GIT","repo":"https://github.com/apache/tomee","events":[{"introduced":"0"},{"last_affected":"24420829cd7de768df247fa7b3c8ae62c13a68e2"},{"introduced":"0"},{"last_affected":"20ebd33765e7d2af3f687f17948971c432e3f23c"},{"introduced":"0"},{"last_affected":"cbe44d2633f2f428e9960f3c5a57ca80df6ea915"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.0.7"},{"introduced":"0"},{"last_affected":"9.0"},{"introduced":"0"},{"last_affected":"10.0"}]}}],"versions":["1.6.0.3-TT.10","1.7.4-TT.1","7.0.6-TT.7","7.0.98","8.0.0-TT.1","8.5.48","9.0.28","openejb-4.7.2","openejb-4.7.5-TT.1","openejb-4.7.5-TT.7","tomee-1.0.0","tomee-1.0.0-beta-1","tomee-1.0.0-beta-2","tomee-1.5.0","tomee-1.5.1","tomee-1.5.2","tomee-1.6.0","tomee-1.6.0.1","tomee-1.6.0.2","tomee-1.6.0.3-TT.10","tomee-1.6.0.3-TT.11","tomee-1.6.0.3-TT.13","tomee-1.6.0.3-TT.14","tomee-1.6.0.3-TT.15","tomee-1.6.0.3-TT.16","tomee-1.6.0.3-TT.19","tomee-1.6.0.3-TT.2","tomee-1.6.0.3-TT.23","tomee-1.6.0.3-TT.24","tomee-1.6.0.3-TT.4","tomee-1.6.0.3-TT.5","tomee-1.6.0.3-TT.6","tomee-1.6.0.3-TT.7","tomee-1.6.0.3-tt.18","tomee-1.7.0","tomee-1.7.1","tomee-1.7.2","tomee-1.7.2-TT.1","tomee-1.7.2-TT.2","tomee-1.7.2-TT.3","tomee-1.7.3","tomee-1.7.3-TT.1","tomee-1.7.3-TT.2","tomee-1.7.3-TT.3","tomee-1.7.3-TT.4","tomee-1.7.4","tomee-1.7.4-SP.1","tomee-1.7.4-SP.2","tomee-1.7.4-SP.3","tomee-1.7.4-SP.4","tomee-1.7.4-SP.5","tomee-1.7.4-SP.7","tomee-1.7.4-TT.1","tomee-1.7.4-sp.6","tomee-1.7.5","tomee-1.7.5-TT.14","tomee-1.7.5-TT.15","tomee-1.7.5-TT.16","tomee-1.7.5-TT.17","tomee-1.7.5-TT.18","tomee-1.7.5-TT.3","tomee-1.7.5-TT.6","tomee-1.7.5-TT.7","tomee-1.7.5-TT.8","tomee-1.7.5-TT.9","tomee-1.7.6-TT.10","tomee-1.7.6-TT.11","tomee-1.7.6-TT.13","tomee-1.7.6-TT.16","tomee-1.7.6-TT.17","tomee-1.7.6-TT.3","tomee-1.7.6-TT.4","tomee-1.7.6-TT.5","tomee-1.7.6-TT.6","tomee-1.7.6-TT.7","tomee-1.7.6-TT.8","tomee-1.7.6-TT.9","tomee-1.7.6-tt.12","tomee-4.6.0.3-TT.1","tomee-7.0.0","tomee-7.0.0-M1","tomee-7.0.0-M2","tomee-7.0.0-M3","tomee-7.0.1","tomee-7.0.2","tomee-7.0.3","tomee-7.0.4","tomee-7.0.4-TT.1","tomee-7.0.4-TT.2","tomee-7.0.5","tomee-7.0.5-TT.2","tomee-7.0.5-TT.3","tomee-7.0.5-TT.4","tomee-7.0.6","tomee-7.0.6-TT.2","tomee-7.0.6-TT.5","tomee-7.0.6-TT.7","tomee-7.0.7","tomee-7.1.0","tomee-7.1.0-TT.1","tomee-7.1.1","tomee-7.1.1-TT.2","tomee-7.1.1-TT.4","tomee-7.1.2","tomee-7.1.2-TT.2","tomee-7.1.2-TT.3","tomee-7.1.2-TT.4","tomee-7.1.3","tomee-7.1.4","tomee-8.0.0","tomee-8.0.0-M1","tomee-8.0.0-M2","tomee-8.0.0-M3","tomee-8.0.1","tomee-8.0.2","tomee-8.0.5","tomee-8.0.6","tomee-project-7.1.5","tomee-project-8.0.1-TT.1","tomee-project-8.0.1-TT.2","tomee-project-8.0.10","tomee-project-8.0.11","tomee-project-8.0.12","tomee-project-8.0.13","tomee-project-8.0.14","tomee-project-8.0.15","tomee-project-8.0.16","tomee-project-8.0.3","tomee-project-8.0.4","tomee-project-8.0.7","tomee-project-8.0.8","tomee-project-8.0.9","tomee-project-9.0.0","tomee-project-9.0.0-M8","tomee-project-9.0.0.RC1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"3.0.0"},{"last_affected":"3.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.0.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.1"}]},{"events":[{"introduced":"17.1"},{"last_affected":"17.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.0.12"}]},{"events":[{"introduced":"8.0.0"},{"last_affected":"8.0.20"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3.7"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"19c"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17569.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}