4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1935

GHSA ID

GHSA-qxf4-chvg-4r8r

EPSS Score

0.68999%

CWE

CWE-444

Published

2/28/2020

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-1935

CVE-2020-1935: Potential HTTP request smuggling in Apache Tomcat

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-1935

GHSA ID

GHSA-qxf4-chvg-4r8r

EPSS Score

0.68999%

CWE

CWE-444

Published

2/28/2020

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat.embed:tomcat-embed-core	maven	< 7.0.100	7.0.100
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 8.0.0, < 8.5.51	8.5.51
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0, < 9.0.31	9.0.31
org.apache.tomcat:tomcat	maven	< 7.0.100	7.0.100
org.apache.tomcat:tomcat	maven	>= 8.0.0, < 8.5.51	8.5.51
org.apache.tomcat:tomcat	maven	>= 9.0.0, < 9.0.31	9.0.31

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

In *p**** Tom**t *.*.*.M* to *.*.**, *.*.* to *.*.** *n* *.*.* to *.*.** t** *TTP *****r p*rsin* *o** us** *n *ppro*** to *n*-o*-lin* p*rsin* t**t *llow** som* inv*li* *TTP *****rs to ** p*rs** *s v*li*. T*is l** to * possi*ility o* *TTP R*qu*st Smu*

Reasoning

No *n*lysis *v*il**l*

4.8

Basic Information

Concerned about an active attack path?

CVE-2020-1935: Potential HTTP request smuggling in Apache Tomcat

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI