WID-SEC-W-2023-2130
Vulnerability from csaf_certbund
Published
2020-02-25 23:00
Modified
2023-09-27 22:00
Summary
Apache Tomcat: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um Dateien zu manipulieren und Informationen offenzulegen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um Dateien zu manipulieren und Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2130 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-2130.json", }, { category: "self", summary: "WID-SEC-2023-2130 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2130", }, { category: "external", summary: "Amazon Linux Security Advisory ALASTOMCAT8.5-2023-012 vom 2023-09-27", url: "https://alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-012.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2023-2216 vom 2023-08-23", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2216.html", }, { category: "external", summary: "Apache Tomcat Security Advisory vom 2020-02-25", url: "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E", }, { category: "external", summary: "Apache Tomcat Security Advisory vom 2020-02-25", url: "https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:0598-1 vom 2020-03-06", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20200598-1.html", }, { category: "external", summary: "Debian Security Advisory DLA 2133 vom 2020-03-05", url: "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202003/msg00006.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:0631-1 vom 2020-03-10", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20200631-1.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:0632-1 vom 2020-03-10", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20200632-1.html", }, { category: "external", summary: "AVAYA Security Advisory ASA-2020-018 vom 2020-03-29", url: "https://downloads.avaya.com/css/P8/documents/101065046", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:1521 vom 2020-04-21", url: "https://access.redhat.com/errata/RHSA-2020:1521", }, { category: "external", summary: "Debian Security Advisory DSA-4673 vom 2020-05-04", url: "https://www.debian.org/security/2020/dsa-4673", }, { category: "external", summary: "Debian Security Advisory DSA-4680 vom 2020-05-07", url: "https://security-tracker.debian.org/tracker/DSA-4680-1", }, { category: "external", summary: "AVAYA Security Advisory ASA-2020-029 vom 2020-05-25", url: "https://downloads.avaya.com/css/P8/documents/101066935", }, { category: "external", summary: "Debian Security Advisory DLA 2209 vom 2020-05-29", url: "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202005/msg00026.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:1498-1 vom 2020-06-16", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20201498-1.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:1497-1 vom 2020-06-16", url: "https://www.suse.com/support/update/announcement/2020/suse-su-20201497-1.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:1030 vom 2021-03-30", url: "https://access.redhat.com/errata/RHSA-2021:1030", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3303 vom 2020-08-04", url: "https://access.redhat.com/errata/RHSA-2020:3303", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:3305 vom 2020-08-04", url: "https://access.redhat.com/errata/RHSA-2020:3305", }, { category: "external", summary: "Ubuntu Security Notice USN-4448-1 vom 2020-08-04", url: "https://usn.ubuntu.com/4448-1/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2020:2611-1 vom 2020-09-11", url: "http://lists.suse.com/pipermail/sle-security-updates/2020-September/007410.html", }, { category: "external", summary: "Hewlett Packard Enterprise Support Center", url: "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbux04015en_us", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2020:5020 vom 2020-11-10", url: "https://access.redhat.com/errata/RHSA-2020:5020", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2020-5020 vom 2020-11-12", url: "https://linux.oracle.com/errata/ELSA-2020-5020.html", }, { category: "external", summary: "CentOS Security Advisory CESA-2020:5020 vom 2020-11-18", url: "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2020-5020-Low-CentOS-7-tomcat-Security-Update-tp4646031.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:0882 vom 2021-03-16", url: "https://access.redhat.com/errata/RHSA-2021:0882", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2021:3140 vom 2021-08-11", url: "https://access.redhat.com/errata/RHSA-2021:3140", }, { category: "external", summary: "Dell NetWorker Security Update", url: "https://www.dell.com/support/kbdoc/de-de/000189694/dsa-2021-125-dell-emc-networker-security-update-for-multiple-vulnerabilities", }, ], source_lang: "en-US", title: "Apache Tomcat: Mehrere Schwachstellen", tracking: { current_release_date: "2023-09-27T22:00:00.000+00:00", generator: { date: "2024-08-15T17:57:23.084+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2130", initial_release_date: "2020-02-25T23:00:00.000+00:00", revision_history: [ { date: "2020-02-25T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2020-03-05T23:00:00.000+00:00", number: "2", summary: "Neue Updates von SUSE und Debian aufgenommen", }, { date: "2020-03-10T23:00:00.000+00:00", number: "3", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2020-03-29T22:00:00.000+00:00", number: "4", summary: "Neue Updates von AVAYA aufgenommen", }, { date: "2020-04-20T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-05-03T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Debian aufgenommen", }, { date: "2020-05-06T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Debian aufgenommen", }, { date: "2020-05-24T22:00:00.000+00:00", number: "8", summary: "Neue Updates von AVAYA aufgenommen", }, { date: "2020-05-28T22:00:00.000+00:00", number: "9", summary: "Neue Updates von Debian aufgenommen", }, { date: "2020-06-16T22:00:00.000+00:00", number: "10", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2020-08-03T22:00:00.000+00:00", number: "11", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-08-04T22:00:00.000+00:00", number: "12", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2020-09-13T22:00:00.000+00:00", number: "13", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2020-09-22T22:00:00.000+00:00", number: "14", summary: "Neue Updates von HP aufgenommen", }, { date: "2020-11-10T23:00:00.000+00:00", number: "15", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2020-11-11T23:00:00.000+00:00", number: "16", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2020-11-18T23:00:00.000+00:00", number: "17", summary: "Neue Updates von CentOS aufgenommen", }, { date: "2021-03-16T23:00:00.000+00:00", number: "18", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-03-29T22:00:00.000+00:00", number: "19", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-08-11T22:00:00.000+00:00", number: "20", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2021-08-18T22:00:00.000+00:00", number: "21", summary: "Neue Updates von EMC aufgenommen", }, { date: "2023-08-23T22:00:00.000+00:00", number: "22", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-09-27T22:00:00.000+00:00", number: "23", summary: "Neue Updates von Amazon aufgenommen", }, ], status: "final", version: "23", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { branches: [ { category: "product_name", name: "Apache Tomcat < 7.0.100", product: { name: "Apache Tomcat < 7.0.100", product_id: "665641", product_identification_helper: { cpe: "cpe:/a:apache:tomcat:7.0.100", }, }, }, { category: "product_name", name: "Apache Tomcat < 8.5.51", product: { name: "Apache Tomcat < 8.5.51", product_id: "T015938", product_identification_helper: { cpe: "cpe:/a:apache:tomcat:8.5.51", }, }, }, { category: "product_name", name: "Apache Tomcat < 9.0.31", product: { name: "Apache Tomcat < 9.0.31", product_id: "T015939", product_identification_helper: { cpe: "cpe:/a:apache:tomcat:9.0.31", }, }, }, ], category: "product_name", name: "Tomcat", }, ], category: "vendor", name: "Apache", }, { branches: [ { category: "product_name", name: "Avaya Aura Application Enablement Services", product: { name: "Avaya Aura Application Enablement Services", product_id: "T015516", product_identification_helper: { cpe: "cpe:/a:avaya:aura_application_enablement_services:-", }, }, }, { category: "product_name", name: "Avaya Aura Experience Portal", product: { name: "Avaya Aura Experience Portal", product_id: "T015519", product_identification_helper: { cpe: "cpe:/a:avaya:aura_experience_portal:-", }, }, }, { category: "product_name", name: "Avaya CMS", product: { name: "Avaya CMS", product_id: "997", product_identification_helper: { cpe: "cpe:/a:avaya:call_management_system_server:-", }, }, }, { category: "product_name", name: "Avaya Session Border Controller", product: { name: "Avaya Session Border Controller", product_id: "T015520", product_identification_helper: { cpe: "cpe:/h:avaya:session_border_controller:-", }, }, }, { category: "product_name", name: "Avaya one-X", product: { name: "Avaya one-X", product_id: "1024", product_identification_helper: { cpe: "cpe:/a:avaya:one-x:-", }, }, }, ], category: "vendor", name: "Avaya", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "EMC NetWorker", product: { name: "EMC NetWorker", product_id: "3479", product_identification_helper: { cpe: "cpe:/a:emc:networker:-", }, }, }, ], category: "vendor", name: "EMC", }, { branches: [ { category: "product_name", name: "HPE HP-UX", product: { name: "HPE HP-UX", product_id: "4871", product_identification_helper: { cpe: "cpe:/o:hp:hp-ux:-", }, }, }, ], category: "vendor", name: "HPE", }, { branches: [ { category: "product_name", name: "Open Source CentOS", product: { name: "Open Source CentOS", product_id: "1727", product_identification_helper: { cpe: "cpe:/o:centos:centos:-", }, }, }, ], category: "vendor", name: "Open Source", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2019-17569", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Apache Tomcat. Wenn Tomcat hinter einem Reverse-Proxy steht, der einen ungültigen Transfer-Encoding-Header auf eine bestimmte Art und Weise falsch behandelt, besteht die Möglichkeit des HTTP-Request-Smuggling Angriffs. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen oder Dateien zu manipulieren.", }, ], product_status: { known_affected: [ "T015519", "67646", "T015516", "4871", "T004914", "T015520", "3479", "2951", "T002207", "1024", "T000126", "997", "398363", "1727", ], }, release_date: "2020-02-25T23:00:00.000+00:00", title: "CVE-2019-17569", }, { cve: "CVE-2020-1935", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Apache Tomcat. Durch eine unsachgemäße Behandlung von HTTP-Headern im Zeilenende-Parsing, werden unter bestimmten Umständen ungültige HTTP-Header als gültig erkannt. Wenn Tomcat hinter einem Reverse-Proxy steht, besteht die Möglichkeit des HTTP-Request-Smuggling Angriffs. Ein entfernter anonymer Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen oder Dateien zu manipulieren.", }, ], product_status: { known_affected: [ "T015519", "67646", "T015516", "4871", "T004914", "T015520", "3479", "2951", "T002207", "1024", "T000126", "997", "398363", "1727", ], }, release_date: "2020-02-25T23:00:00.000+00:00", title: "CVE-2020-1935", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.