CVE-2020-1935: XSS
First published: Mon Feb 24 2020(Updated: )
A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat | <0:7.0.76-16.el7_9 | 0:7.0.76-16.el7_9 |
| redhat/tomcat | <0:7.0.76-11.el7_6 | 0:7.0.76-11.el7_6 |
| redhat/tomcat | <0:7.0.76-12.el7_7 | 0:7.0.76-12.el7_7 |
| redhat/tomcat7 | <0:7.0.70-41.ep7.el6 | 0:7.0.70-41.ep7.el6 |
| redhat/tomcat8 | <0:8.0.36-45.ep7.el6 | 0:8.0.36-45.ep7.el6 |
| redhat/tomcat7 | <0:7.0.70-41.ep7.el7 | 0:7.0.70-41.ep7.el7 |
| redhat/tomcat8 | <0:8.0.36-45.ep7.el7 | 0:8.0.36-45.ep7.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el6 | 0:9.0.30-3.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el6 | 0:1.2.23-4.redhat_4.el6 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el7 | 0:9.0.30-3.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el7 | 0:1.2.23-4.redhat_4.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el8 | 0:9.0.30-3.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el8 | 0:1.2.23-4.redhat_4.el8 |
| redhat/tomcat | <9.0.31 | 9.0.31 |
| redhat/tomcat | <8.5.51 | 8.5.51 |
| redhat/tomcat | <7.0.100 | 7.0.100 |
| debian/tomcat9 | 9.0.43-2~deb11u10 9.0.43-2~deb11u11 9.0.70-2 9.0.95-1 | |
| IBM Data Risk Manager | <=2.0.6 | |
| Tomcat | >=7.0.0<=7.0.99 | |
| Tomcat | >=8.5.0<=8.5.50 | |
| Tomcat | >=9.0.0<=9.0.30 | |
| Tomcat | =9.0.0 | |
| Tomcat | =9.0.0-milestone1 | |
| Tomcat | =9.0.0-milestone10 | |
| Tomcat | =9.0.0-milestone11 | |
| Tomcat | =9.0.0-milestone12 | |
| Tomcat | =9.0.0-milestone13 | |
| Tomcat | =9.0.0-milestone14 | |
| Tomcat | =9.0.0-milestone15 | |
| Tomcat | =9.0.0-milestone16 | |
| Tomcat | =9.0.0-milestone17 | |
| Tomcat | =9.0.0-milestone18 | |
| Tomcat | =9.0.0-milestone19 | |
| Tomcat | =9.0.0-milestone2 | |
| Tomcat | =9.0.0-milestone20 | |
| Tomcat | =9.0.0-milestone21 | |
| Tomcat | =9.0.0-milestone22 | |
| Tomcat | =9.0.0-milestone23 | |
| Tomcat | =9.0.0-milestone24 | |
| Tomcat | =9.0.0-milestone25 | |
| Tomcat | =9.0.0-milestone26 | |
| Tomcat | =9.0.0-milestone27 | |
| Tomcat | =9.0.0-milestone3 | |
| Tomcat | =9.0.0-milestone4 | |
| Tomcat | =9.0.0-milestone5 | |
| Tomcat | =9.0.0-milestone6 | |
| Tomcat | =9.0.0-milestone7 | |
| Tomcat | =9.0.0-milestone8 | |
| Tomcat | =9.0.0-milestone9 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Ubuntu | =16.04 | |
| SUSE Linux | =15.1 | |
| NetApp Data Availability Services | ||
| NetApp System Manager | >=3.0.0<=3.1.3 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Agile PLM | =9.3.3 | |
| Oracle Agile PLM | =9.3.5 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Communications Element Manager | =8.1.1 | |
| Oracle Communications Element Manager | =8.2.0 | |
| Oracle Communications Element Manager | =8.2.1 | |
| Oracle Communications Instant Messaging Server | =10.0.1.4.0 | |
| Oracle Health Sciences Empirica Inspections | =1.0.1.2 | |
| Oracle Health Sciences Empirica Signal | =7.3.3 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Instantis EnterpriseTrack | >=17.1<=17.3 | |
| MySQL Enterprise Monitor | >=4.0.0<=4.0.12 | |
| MySQL Enterprise Monitor | >=8.0.0<=8.0.20 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Siebel User Interface Framework | <=20.5 | |
| Oracle Transportation Execution | =6.3.7 | |
| Oracle Workload Manager | =12.2.0.1 | |
| Oracle Workload Manager | =18c | |
| Oracle Workload Manager | =19c |
Remedy
Workaround for Red Hat Satellite 6 is to add iptables rule to deny TCP requests of Tomcat that are not originating from the Satellite. For other Red Hat products, either mitigation isn't available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
- https://bugzilla.redhat.com/show_bug.cgi?id=1806835
- https://access.redhat.com/errata/RHSA-2020:5020
- https://access.redhat.com/errata/RHSA-2021:0882
- https://access.redhat.com/errata/RHSA-2021:1030
- https://access.redhat.com/errata/RHSA-2020:4847
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/errata/RHSA-2020:3305
- https://access.redhat.com/errata/RHSA-2020:3303
- https://access.redhat.com/errata/RHSA-2020:1520
- https://access.redhat.com/errata/RHSA-2020:1521
- https://access.redhat.com/errata/RHSA-2020:2367
- https://access.redhat.com/security/cve/cve-2020-1935
- https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200327-0005/
- https://www.debian.org/security/2020/dsa-4673
- https://www.debian.org/security/2020/dsa-4680
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E
- https://usn.ubuntu.com/4448-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E
- https://launchpad.net/bugs/cve/CVE-2020-1935
- https://github.com/apache/tomcat/commit/8bfb0ff
- https://github.com/apache/tomcat/commit/8fbe2e9
- https://github.com/apache/tomcat/commit/702bf15
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
- https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E
- https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26
- https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56
- https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d
- https://security-tracker.debian.org/tracker/CVE-2020-1935
- https://exchange.xforce.ibmcloud.com/vulnerabilities/176788
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935
- https://nvd.nist.gov/vuln/detail/CVE-2020-1935
- https://ubuntu.com/security/CVE-2020-1935
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-1935?
CVE-2020-1935 has a moderate severity level due to the potential for HTTP request smuggling.
How do I fix CVE-2020-1935?
To fix CVE-2020-1935, upgrade to Apache Tomcat version 7.0.100, 8.5.51, or 9.0.31 or later.
Which versions of Apache Tomcat are affected by CVE-2020-1935?
CVE-2020-1935 affects Apache Tomcat versions before 7.0.100, 8.5.51, and 9.0.31.
What is HTTP request smuggling related to CVE-2020-1935?
HTTP request smuggling involves sending maliciously crafted requests that can bypass security controls by exploiting the flawed header parsing.
Is CVE-2020-1935 applicable to reverse proxy configurations?
Yes, CVE-2020-1935 is particularly concerning when Tomcat is deployed behind a reverse proxy that does not handle headers correctly.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1935
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/description
- agent/event
- agent/last-modified-date
- agent/trending
- agent/source
- collector/security-tracker-debian
- source/Debian
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- vendor/apache
- canonical/tomcat
- version/tomcat/7.0.0
- version/tomcat/7.0.99
- version/tomcat/8.5.0
- version/tomcat/8.5.50
- version/tomcat/9.0.0
- version/tomcat/9.0.30
- version/tomcat/9.0.0-milestone1
- version/tomcat/9.0.0-milestone10
- version/tomcat/9.0.0-milestone11
- version/tomcat/9.0.0-milestone12
- version/tomcat/9.0.0-milestone13
- version/tomcat/9.0.0-milestone14
- version/tomcat/9.0.0-milestone15
- version/tomcat/9.0.0-milestone16
- version/tomcat/9.0.0-milestone17
- version/tomcat/9.0.0-milestone18
- version/tomcat/9.0.0-milestone19
- version/tomcat/9.0.0-milestone2
- version/tomcat/9.0.0-milestone20
- version/tomcat/9.0.0-milestone21
- version/tomcat/9.0.0-milestone22
- version/tomcat/9.0.0-milestone23
- version/tomcat/9.0.0-milestone24
- version/tomcat/9.0.0-milestone25
- version/tomcat/9.0.0-milestone26
- version/tomcat/9.0.0-milestone27
- version/tomcat/9.0.0-milestone3
- version/tomcat/9.0.0-milestone4
- version/tomcat/9.0.0-milestone5
- version/tomcat/9.0.0-milestone6
- version/tomcat/9.0.0-milestone7
- version/tomcat/9.0.0-milestone8
- version/tomcat/9.0.0-milestone9
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/16.04
- vendor/opensuse
- canonical/suse linux
- version/suse linux/15.1
- vendor/netapp
- canonical/netapp data availability services
- canonical/netapp system manager
- version/netapp system manager/3.0.0
- version/netapp system manager/3.1.3
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle agile plm
- version/oracle agile plm/9.3.3
- version/oracle agile plm/9.3.5
- version/oracle agile plm/9.3.6
- canonical/oracle communications element manager
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.1
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.4.0
- canonical/oracle health sciences empirica inspections
- version/oracle health sciences empirica inspections/1.0.1.2
- canonical/oracle health sciences empirica signal
- version/oracle health sciences empirica signal/7.3.3
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.3
- canonical/mysql enterprise monitor
- version/mysql enterprise monitor/4.0.0
- version/mysql enterprise monitor/4.0.12
- version/mysql enterprise monitor/8.0.0
- version/mysql enterprise monitor/8.0.20
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- canonical/oracle siebel user interface framework
- version/oracle siebel user interface framework/20.5
- canonical/oracle transportation execution
- version/oracle transportation execution/6.3.7
- canonical/oracle workload manager
- version/oracle workload manager/12.2.0.1
- version/oracle workload manager/18c
- version/oracle workload manager/19c