CVE-2020-1935 (Medium) detected in multiple libraries - autoclosed

[mend-for-github.lhy31512.workers.dev]

CVE-2020-1935 - Medium Severity Vulnerability

Vulnerable Libraries - tomcat-embed-core-8.5.34.jar, tomcat-embed-core-7.0.37.jar, tomcat-embed-core-7.0.0.jar, tomcat-embed-core-8.0.41.jar, tomcat-embed-core-8.5.35.jar

tomcat-embed-core-8.5.34.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /dd-java-agent/instrumentation/spring-webmvc-3.1/spring-webmvc-3.1.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.34/a038040d68a90397f95dd1e11b979fe364a5000f/tomcat-embed-core-8.5.34.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.17.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.5.17.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.34.jar (Vulnerable Library)

tomcat-embed-core-7.0.37.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /dd-java-agent/instrumentation/jsp-2.3/jsp-2.3.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-7.0.37.jar (Vulnerable Library)

tomcat-embed-core-7.0.0.jar

Core Tomcat implementation

Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/lambda-testing/lambda-testing.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-7.0.0.jar (Vulnerable Library)

tomcat-embed-core-8.0.41.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /dd-java-agent/instrumentation/servlet/request-3/request-3.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.0.41/b686e91f23f870ed9db2720bd159f30c5d3974a4/tomcat-embed-core-8.0.41.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.0.41/b686e91f23f870ed9db2720bd159f30c5d3974a4/tomcat-embed-core-8.0.41.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-8.0.41.jar (Vulnerable Library)

tomcat-embed-core-8.5.35.jar

Core Tomcat implementation

Path to dependency file: /dd-smoke-tests/springboot/springboot.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.35/9c459829e1aa72669203dbbf6648dc3b6314644c/tomcat-embed-core-8.5.35.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.35/9c459829e1aa72669203dbbf6648dc3b6314644c/tomcat-embed-core-8.5.35.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.18.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.5.18.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.35.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Publish Date: 2020-02-24

URL: CVE-2020-1935

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6v7p-v754-j89v

Release Date: 2020-02-24

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.51

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.51

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

---

⛑️ Automatic Remediation is available for this issue