How severe is CVE-2020-1935?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.8 out of 10.

What type of vulnerability is CVE-2020-1935?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2020-1935 - MEDIUM Severity | CVSS 4.8

Vulnerability Description

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

Related Vulnerabilities

CVE-2019-17569

MEDIUM

CVSS:4.8(Medium)

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were i...

CWE-4442019

CVE-2020-10687

MEDIUM

CVSS:4.8(Medium)

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid c...

CWE-4442020

CVE-2021-20220

MEDIUM

CVSS:4.8(Medium)

A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid ch...

CWE-4442021

CVE-2025-30346

MEDIUM

CVSS:4.8(Medium)

Varnish Cache before 7.6.2 and Varnish Enterprise before 6.0.13r10 allow client-side desync via HTTP/1 requests.

CWE-4442025

CVE-2022-39163

MEDIUM

CVSS:4.7(Medium)

IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site...

CWE-4442022

CVE-2024-9666

MEDIUM

CVSS:4.7(Medium)

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept...

CWE-4442024