{"id":"CVE-2019-17569","details":"The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.","aliases":["GHSA-767j-jfh2-jvrc"],"modified":"2026-05-28T04:04:56.944918305Z","published":"2020-02-24T22:15:11.903Z","related":["SUSE-SU-2020:0598-1","SUSE-SU-2020:0631-1","SUSE-SU-2020:0632-1","SUSE-SU-2020:1497-1","SUSE-SU-2020:1498-1","openSUSE-SU-2020:0345-1","openSUSE-SU-2024:11468-1","openSUSE-SU-2024:13441-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_RANGE","cpes":["cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*"],"vendor_product":"netapp:oncommand_system_manager","extracted_events":[{"introduced":"3.0.0"},{"last_affected":"3.1.3"}]},{"source":"CPE_RANGE","extracted_events":[{"introduced":"17.1"},{"last_affected":"17.3"}],"cpes":["cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:instantis_enterprisetrack"},{"source":"CPE_RANGE","vendor_product":"oracle:mysql_enterprise_monitor","extracted_events":[{"last_affected":"4.0.12"},{"introduced":"8.0.0"},{"last_affected":"8.0.20"}],"cpes":["cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}],"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","extracted_events":[{"last_affected":"15.1"}],"cpes":["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"],"vendor_product":"opensuse:leap"},{"source":"CPE_STRING","vendor_product":"oracle:agile_engineering_data_management","extracted_events":[{"last_affected":"6.2.1.0"}],"cpes":["cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"oracle:agile_plm","extracted_events":[{"last_affected":"9.3.3"},{"last_affected":"9.3.5"},{"last_affected":"9.3.6"}],"cpes":["cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*","cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"oracle:communications_instant_messaging_server","extracted_events":[{"last_affected":"10.0.1.4.0"}],"cpes":["cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","vendor_product":"oracle:health_sciences_empirica_inspections","extracted_events":[{"last_affected":"1.0.1.2"}],"cpes":["cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","extracted_events":[{"last_affected":"7.3.3"}],"cpes":["cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*"],"vendor_product":"oracle:health_sciences_empirica_signal"},{"source":"CPE_STRING","extracted_events":[{"last_affected":"4.2.0"},{"last_affected":"4.2.1"}],"cpes":["cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:hospitality_guest_access"},{"source":"CPE_STRING","vendor_product":"oracle:transportation_management","extracted_events":[{"last_affected":"6.3.7"}],"cpes":["cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*"]},{"source":"CPE_STRING","extracted_events":[{"last_affected":"12.2.0.1"},{"last_affected":"18c"},{"last_affected":"19c"}],"cpes":["cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*","cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*"],"vendor_product":"oracle:workload_manager"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200327-0005/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4673"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4680"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"fde40d7e0c7a1b0b2423cb84ad220a5d98b65591"},{"last_affected":"a94a0258f36d064aa032608a9e99c62018f22d94"},{"introduced":"35174cb9cfa4cf3d608db77485043af42cf92c8c"},{"last_affected":"c40ede65ea4fb44b1957ec482f28c7afa71f1b50"},{"introduced":"7c14efedba0cc81319efacb0e7f5129804e7b6f9"},{"last_affected":"4fab4cc012d0c31852e957d198cb0549f3d6074c"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"7.0.98"},{"last_affected":"7.0.99"},{"introduced":"8.5.48"},{"last_affected":"8.5.50"},{"introduced":"9.0.28"},{"last_affected":"9.0.30"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17569.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomee","events":[{"introduced":"0"},{"last_affected":"24420829cd7de768df247fa7b3c8ae62c13a68e2"}],"database_specific":{"source":"CPE_STRING","cpe":"cpe:2.3:a:apache:tomee:7.0.7:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"7.0.7"}]}}],"versions":["tomee-7.0.7","tomee-7.0.6","tomee-7.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17569.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}