CVE-2019-17569: 
Java vulnerability analysis and mitigation

CVE-2019-17569 affects Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50, and 7.0.98 to 7.0.99. The vulnerability was introduced through a refactoring regression that caused invalid Transfer-Encoding headers to be incorrectly processed, potentially leading to HTTP Request Smuggling if Tomcat was positioned behind a reverse proxy that improperly handled the invalid Transfer-Encoding header (NVD).

The vulnerability is caused by incorrect processing of invalid Transfer-Encoding headers in Apache Tomcat. The CVSS v3.1 base score is 4.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with high attack complexity, no privileges required, no user interaction needed, unchanged scope, and low impact on confidentiality and integrity (NVD).

If successfully exploited, this vulnerability could allow an attacker to perform HTTP Request Smuggling attacks when Tomcat is behind a reverse proxy that incorrectly handles invalid Transfer-Encoding headers. However, such a reverse proxy configuration is considered unlikely (NVD).

The vulnerability has been fixed in Apache Tomcat versions 7.0.100, 8.5.51, and 9.0.31. Users are advised to upgrade to these or later versions. Various vendors have also released patches including Oracle in their January 2021, July 2020, and October 2020 Critical Patch Updates (Oracle CPU Jan 2021, Oracle CPU Jul 2020, Oracle CPU Oct 2020).