1. CVE-Search
  2. CVE-2005-2090
ID CVE-2005-2090
Summary Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
References
Vulnerable Configurations
  • cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 15-04-2019 - 16:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
oval via4
accepted 2013-04-29T04:06:11.064-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
family unix
id oval:org.mitre.oval:def:10499
status accepted
submitted 2010-07-09T03:56:16-04:00
title Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
version 18
redhat via4
advisories
  • rhsa
    id RHSA-2007:0327
  • rhsa
    id RHSA-2007:0360
  • rhsa
    id RHSA-2008:0261
rpms
  • jakarta-commons-modeler-0:2.0-3jpp_2rh
  • jakarta-commons-modeler-javadoc-0:2.0-3jpp_2rh
  • tomcat5-0:5.5.23-0jpp_4rh.3
  • tomcat5-admin-webapps-0:5.5.23-0jpp_4rh.3
  • tomcat5-common-lib-0:5.5.23-0jpp_4rh.3
  • tomcat5-jasper-0:5.5.23-0jpp_4rh.3
  • tomcat5-jasper-javadoc-0:5.5.23-0jpp_4rh.3
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp_4rh.3
  • tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp_4rh.3
  • tomcat5-server-lib-0:5.5.23-0jpp_4rh.3
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp_4rh.3
  • tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp_4rh.3
  • tomcat5-webapps-0:5.5.23-0jpp_4rh.3
  • jakarta-commons-modeler-0:1.1-8jpp.1.0.2.el5
  • jakarta-commons-modeler-debuginfo-0:1.1-8jpp.1.0.2.el5
  • jakarta-commons-modeler-javadoc-0:1.1-8jpp.1.0.2.el5
  • tomcat5-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-admin-webapps-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-common-lib-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-debuginfo-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jasper-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jasper-javadoc-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-server-lib-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.1.0.3.el5
  • tomcat5-webapps-0:5.5.23-0jpp.1.0.3.el5
  • jakarta-commons-modeler-0:2.0-3jpp_3rh
  • tomcat5-0:5.5.23-0jpp_6rh
  • tomcat5-common-lib-0:5.5.23-0jpp_6rh
  • tomcat5-jasper-0:5.5.23-0jpp_6rh
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp_6rh
  • tomcat5-server-lib-0:5.5.23-0jpp_6rh
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp_6rh
  • tomcat5-0:5.0.30-0jpp_5rh
  • tomcat5-admin-webapps-0:5.0.30-0jpp_5rh
  • tomcat5-webapps-0:5.0.30-0jpp_5rh
  • jbossas-0:4.0.5-2.CP04.el4s1.2
  • jbossas-ejb3-0:1.0.0-0.2.rc9.CP04.el4s1.2
  • jakarta-commons-pool-0:1.2-2jpp_2rh
  • tomcat5-0:5.0.30-0jpp_6rh
  • tyrex-0:1.0.1-2jpp_2rh
  • jabberd-0:2.0s10-3.38.rhn
  • java-1.4.2-ibm-0:1.4.2.10-1jpp.2.el4
  • java-1.4.2-ibm-devel-0:1.4.2.10-1jpp.2.el4
  • jfreechart-0:0.9.20-3.rhn
  • openmotif21-0:2.1.30-11.RHEL4.6
  • openmotif21-debuginfo-0:2.1.30-11.RHEL4.6
  • perl-Crypt-CBC-0:2.24-1.el4
  • rhn-apache-0:1.3.27-36.rhn.rhel4
  • rhn-modjk-ap13-0:1.2.23-2rhn.rhel4
  • rhn-modperl-0:1.29-16.rhel4
  • rhn-modssl-0:2.8.12-8.rhn.10.rhel4
  • tomcat5-0:5.0.30-0jpp_10rh
  • jabberd-0:2.0s10-3.37.rhn
  • jabberd-0:2.0s10-3.38.rhn
  • java-1.4.2-ibm-0:1.4.2.10-1jpp.2.el3
  • java-1.4.2-ibm-0:1.4.2.10-1jpp.2.el4
  • java-1.4.2-ibm-devel-0:1.4.2.10-1jpp.2.el3
  • java-1.4.2-ibm-devel-0:1.4.2.10-1jpp.2.el4
  • jfreechart-0:0.9.20-3.rhn
  • openmotif21-0:2.1.30-11.RHEL4.6
  • openmotif21-0:2.1.30-9.RHEL3.8
  • openmotif21-debuginfo-0:2.1.30-11.RHEL4.6
  • openmotif21-debuginfo-0:2.1.30-9.RHEL3.8
  • perl-Crypt-CBC-0:2.24-1.el3
  • perl-Crypt-CBC-0:2.24-1.el4
  • rhn-apache-0:1.3.27-36.rhn.rhel3
  • rhn-apache-0:1.3.27-36.rhn.rhel4
  • rhn-modjk-ap13-0:1.2.23-2rhn.rhel3
  • rhn-modjk-ap13-0:1.2.23-2rhn.rhel4
  • rhn-modperl-0:1.29-16.rhel3
  • rhn-modperl-0:1.29-16.rhel4
  • rhn-modssl-0:2.8.12-8.rhn.10.rhel3
  • rhn-modssl-0:2.8.12-8.rhn.10.rhel4
  • tomcat5-0:5.0.30-0jpp_10rh
  • ant-0:1.6.5-1jpp_1rh
  • avalon-logkit-0:1.2-2jpp_4rh
  • axis-0:1.2.1-1jpp_3rh
  • classpathx-jaf-0:1.0-2jpp_6rh
  • classpathx-mail-0:1.1.1-2jpp_8rh
  • geronimo-ejb-2.1-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-1.4-apis-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-connector-1.5-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-deployment-1.1-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-j2ee-management-1.0-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-jms-1.1-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-jsp-2.0-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-jta-1.0.1B-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-servlet-2.4-api-0:1.0-0.M4.1jpp_10rh
  • geronimo-specs-0:1.0-0.M4.1jpp_10rh
  • geronimo-specs-javadoc-0:1.0-0.M4.1jpp_10rh
  • jakarta-commons-modeler-0:2.0-3jpp_2rh
  • log4j-0:1.2.12-1jpp_1rh
  • mx4j-1:3.0.1-1jpp_4rh
  • pcsc-lite-0:1.3.3-3.el4
  • pcsc-lite-debuginfo-0:1.3.3-3.el4
  • pcsc-lite-doc-0:1.3.3-3.el4
  • pcsc-lite-libs-0:1.3.3-3.el4
  • rhpki-ca-0:7.3.0-20.el4
  • rhpki-java-tools-0:7.3.0-10.el4
  • rhpki-kra-0:7.3.0-14.el4
  • rhpki-manage-0:7.3.0-19.el4
  • rhpki-native-tools-0:7.3.0-6.el4
  • rhpki-ocsp-0:7.3.0-13.el4
  • rhpki-tks-0:7.3.0-13.el4
  • tomcat5-0:5.5.23-0jpp_4rh.16
  • tomcat5-common-lib-0:5.5.23-0jpp_4rh.16
  • tomcat5-jasper-0:5.5.23-0jpp_4rh.16
  • tomcat5-jsp-2.0-api-0:5.5.23-0jpp_4rh.16
  • tomcat5-server-lib-0:5.5.23-0jpp_4rh.16
  • tomcat5-servlet-2.4-api-0:5.5.23-0jpp_4rh.16
  • xerces-j2-0:2.7.1-1jpp_1rh
  • xml-commons-0:1.3.02-2jpp_1rh
  • xml-commons-apis-0:1.3.02-2jpp_1rh
refmap via4
apple APPLE-SA-2007-07-31
bid
  • 13873
  • 25159
bugtraq
  • 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling
  • 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1
  • 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
  • 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
confirm
hp
  • HPSBUX02262
  • SSRT071447
misc
mlist
  • [Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1
  • [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
  • [tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/
  • [tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/
  • [tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/
sectrack 1014365
secunia
  • 26235
  • 26660
  • 27037
  • 28365
  • 29242
  • 30899
  • 30908
  • 33668
sunalert 239312
suse SUSE-SR:2008:005
vupen
  • ADV-2007-2732
  • ADV-2007-3087
  • ADV-2007-3386
  • ADV-2008-0065
  • ADV-2008-1979
  • ADV-2009-0233
Last major update 15-04-2019 - 16:29
Published 05-07-2005 - 04:00
Last modified 15-04-2019 - 16:29
Back to Top