You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Jayaprakash (Jira)" <ji...@apache.org> on 2020/03/23 05:10:00 UTC
[jira] [Commented] (TOMEE-2790) TomEE plus(7.0.7) is affected by
CVE-2020-1935 & CVE-2019-17569 vulnerabilities
[ https://issues.apache.org/jira/browse/TOMEE-2790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17064536#comment-17064536 ]
Jayaprakash commented on TOMEE-2790:
------------------------------------
[~jgallimore],
It seems like it impacts the TomEE 7.0.7 version. Can you please confirm on this?
> TomEE plus(7.0.7) is affected by CVE-2020-1935 & CVE-2019-17569 vulnerabilities
> -------------------------------------------------------------------------------
>
> Key: TOMEE-2790
> URL: https://issues.apache.org/jira/browse/TOMEE-2790
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 7.0.7
> Reporter: Jayaprakash
> Priority: Minor
>
> TomEE plus (7.0.7) is using Apache Tomcat 8.5.50 version which is affected by below vulnerabilities,
> * CVE-2020-1935 (BDSA-2020-0328) : Apache Tomcat Vulnerable to HTTP Request Smuggling via 'parseHeader' EOL Parsing
> * CVE-2019-17569 (BDSA-2020-0330) : Apache Tomcat Vulnerable to HTTP Request Smuggling via Regression in 'parseTokenList'
> Apache Tomcat(8.5.51) addresses this vulnerability.
> Can you please upgrade TomEE plus(7.0.7) with Apache Tomcat(8.5.51) version or later which addresses these vulnerabilities.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)