unday, July 26, 2020 5:09 AM
To: users@tomcat.apache.org
Subject: Re: CVE-2020-1935
George,
As an open source project with an open development process, the Tomcat security
team has a number of challenges to deal with.
First, any commit to address a security issue will be public before the
security
header (it shouldn't the HTTP/1.1 RFCs require CRLF
for headers) then a request smuggling attack as described by
CVE-2020-1935 is likely to be possible.
It should be relatively simple to test what the reverse proxy accepts
and doesn't accept. For completeness you might want to test how
iment.
Cheers!
George
-Original Message-
From: Christopher Schultz
Sent: Friday, July 24, 2020 3:40 PM
To: users@tomcat.apache.org
Subject: Re: CVE-2020-1935
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
George,
On 7/24/20 15:15, George Stanchev wrote:
> The description for thi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
George,
On 7/24/20 15:15, George Stanchev wrote:
> The description for this CVE is pretty vague (as perhaps
> necessary) but we have a customer that is trying to assess their
> risk for this CVE.
Their risk is probably very low. Their risk of a bun
The description for this CVE is pretty vague (as perhaps necessary) but we have
a customer that is trying to assess their risk for this CVE. They are behind a
reverse-proxy. Even though the description on Tomcat's security page states
that the risk is low it doesn't describe how would a reverse-
CVE-2020-1935 HTTP Request Smuggling
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99
Description:
The HTTP header parsing code used an approach to end-of-line parsing
that
