CVE-2019-17569: XSS
First published: Mon Feb 24 2020(Updated: )
Apache Tomcat is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el6 | 0:9.0.30-3.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el6 | 0:1.2.23-4.redhat_4.el6 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el7 | 0:9.0.30-3.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el7 | 0:1.2.23-4.redhat_4.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el8 | 0:9.0.30-3.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el8 | 0:1.2.23-4.redhat_4.el8 |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 | |
| IBM Data Risk Manager | <=2.0.6 | |
| redhat/tomcat | <9.0.31 | 9.0.31 |
| redhat/tomcat | <8.5.51 | 8.5.51 |
| redhat/tomcat | <7.0.100 | 7.0.100 |
| Apache Tomcat | >=7.0.98<=7.0.99 | |
| Apache Tomcat | >=8.5.48<=8.5.50 | |
| Apache Tomcat | >=9.0.28<=9.0.30 | |
| Apache TomEE | =7.0.7 | |
| openSUSE Leap | =15.1 | |
| Netapp Data Availability Services | ||
| NetApp OnCommand System Manager | >=3.0.0<=3.1.3 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Agile PLM | =9.3.3 | |
| Oracle Agile PLM | =9.3.5 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Communications Instant Messaging Server | =10.0.1.4.0 | |
| Oracle Health Sciences Empirica Inspections | =1.0.1.2 | |
| Oracle Health Sciences Empirica Signal | =7.3.3 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle Instantis Enterprisetrack | >=17.1<=17.3 | |
| Oracle Mysql Enterprise Monitor | <=4.0.12 | |
| Oracle Mysql Enterprise Monitor | >=8.0.0<=8.0.20 | |
| Oracle Transportation Management | =6.3.7 | |
| Oracle Workload Manager | =12.2.0.1 | |
| Oracle Workload Manager | =18c | |
| Oracle Workload Manager | =19c |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-17569 https://nvd.nist.gov/vuln/detail/CVE-2019-17569 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
- https://bugzilla.redhat.com/show_bug.cgi?id=1806849
- https://access.redhat.com/errata/RHSA-2020:1520
- https://access.redhat.com/errata/RHSA-2020:1521
- https://access.redhat.com/security/cve/cve-2019-17569
- https://github.com/apache/tomcat/commit/060ecc5eb839208687b7fcc9e35287ac8eb46998
- https://github.com/apache/tomcat/commit/959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3
- https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8
- https://security-tracker.debian.org/tracker/CVE-2019-17569
- https://github.com/apache/tomcat/commit/060ecc5
- https://github.com/apache/tomcat/commit/959f1df
- https://github.com/apache/tomcat/commit/b191a0d
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
- https://security.netapp.com/advisory/ntap-20200327-0005/
- https://www.debian.org/security/2020/dsa-4673
- https://www.debian.org/security/2020/dsa-4680
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/176784
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
Frequently Asked Questions
What is CVE-2019-17569?
CVE-2019-17569 is a vulnerability in Apache Tomcat that allows for HTTP request smuggling.
How severe is CVE-2019-17569?
CVE-2019-17569 has a severity rating of 6.5, which is considered medium.
What software versions are affected by CVE-2019-17569?
Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50, and 7.0.98 to 7.0.99 are affected by CVE-2019-17569.
How can I fix CVE-2019-17569?
To fix CVE-2019-17569, you should update Apache Tomcat to version 9.0.31, 8.5.51, or 7.0.100.
Where can I find more information about CVE-2019-17569?
You can find more information about CVE-2019-17569 on the Apache Tomcat GitHub page.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/author
- agent/severity
- agent/references
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-17569
- agent/software-canonical-lookup
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/debian
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.98
- version/apache tomcat/7.0.99
- version/apache tomcat/8.5.48
- version/apache tomcat/8.5.50
- version/apache tomcat/9.0.28
- version/apache tomcat/9.0.30
- canonical/apache tomee
- version/apache tomee/7.0.7
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/netapp
- canonical/netapp data availability services
- canonical/netapp oncommand system manager
- version/netapp oncommand system manager/3.0.0
- version/netapp oncommand system manager/3.1.3
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle agile plm
- version/oracle agile plm/9.3.3
- version/oracle agile plm/9.3.5
- version/oracle agile plm/9.3.6
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.4.0
- canonical/oracle health sciences empirica inspections
- version/oracle health sciences empirica inspections/1.0.1.2
- canonical/oracle health sciences empirica signal
- version/oracle health sciences empirica signal/7.3.3
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/4.0.12
- version/oracle mysql enterprise monitor/8.0.0
- version/oracle mysql enterprise monitor/8.0.20
- canonical/oracle transportation management
- version/oracle transportation management/6.3.7
- canonical/oracle workload manager
- version/oracle workload manager/12.2.0.1
- version/oracle workload manager/18c
- version/oracle workload manager/19c
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6