CVE-2020-1935 [Medium] | Security Vulnerability in Tomcat

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-03-28	1.01%	1.37%	+0.36%
2	2026-03-04	0.51%	1.01%	+0.50%
3	2026-03-01	—	0.51%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-03-28

1.01%

1.37%

+0.36%

2026-03-04

0.51%

1.01%

+0.50%

2026-03-01

—

0.51%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.8	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	2.2	2.5	[email protected]
5.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.8

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

2.2

2.5

[email protected]

5.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

4.9

[email protected]

OS Trackers for CVE-2020-1935

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2020-1935 not yet assigned priority: Debian including 1 source packages (tomcat9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2020-1935
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2020-1935
`ubuntu`	low	CVE-2020-1935 low priority: Ubuntu including 3 source packages (tomcat7, tomcat8, tomcat9), 51 status rows across 17 suites (bionic, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 29, not-affected 12, needed 5, released 4, ignored 1.	https://ubuntu.com/security/CVE-2020-1935

Affected software / configurations for CVE-2020-1935

Vendor	Product	Version	Raw CPE
apache	tomcat	>= 7.0.0, <= 7.0.99	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 8.5.0, <= 8.5.50	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 9.0.0, <= 9.0.30	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:-::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
apache	tomcat	9.0.0	cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
canonical	ubuntu_linux	16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
opensuse	leap	15.1	cpe:2.3:o:opensuse:leap:15.1:::::::*
netapp	data_availability_services	—	cpe:2.3:a:netapp:data_availability_services:-:::::::*
netapp	oncommand_system_manager	>= 3.0.0, <= 3.1.3	cpe:2.3:a:netapp:oncommand_system_manager::::::::
oracle	agile_engineering_data_management	6.2.1.0	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
oracle	agile_product_lifecycle_management	9.3.3	cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.3:::::::*
oracle	agile_product_lifecycle_management	9.3.5	cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.5:::::::*
oracle	agile_product_lifecycle_management	9.3.6	cpe:2.3:a:oracle:agile_product_lifecycle_management:9.3.6:::::::*
oracle	communications_element_manager	8.1.1	cpe:2.3:a:oracle:communications_element_manager:8.1.1:::::::*
oracle	communications_element_manager	8.2.0	cpe:2.3:a:oracle:communications_element_manager:8.2.0:::::::*
oracle	communications_element_manager	8.2.1	cpe:2.3:a:oracle:communications_element_manager:8.2.1:::::::*
oracle	communications_instant_messaging_server	10.0.1.4.0	cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:::::::*
oracle	health_sciences_empirica_inspections	1.0.1.2	cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:::::::*
oracle	health_sciences_empirica_signal	7.3.3	cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:::::::*
oracle	hospitality_guest_access	4.2.0	cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
oracle	hospitality_guest_access	4.2.1	cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
oracle	hyperion_infrastructure_technology	11.1.2.4	cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:::::::*
oracle	instantis_enterprisetrack	>= 17.1, <= 17.3	cpe:2.3:a:oracle:instantis_enterprisetrack::::::::
oracle	mysql_enterprise_monitor	>= 4.0.0, <= 4.0.12	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
oracle	mysql_enterprise_monitor	>= 8.0.0, <= 8.0.20	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::
oracle	retail_order_broker	15.0	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
oracle	siebel_ui_framework	<= 20.5	cpe:2.3:a:oracle:siebel_ui_framework::::::::
oracle	transportation_management	6.3.7	cpe:2.3:a:oracle:transportation_management:6.3.7:::::::*
oracle	workload_manager	12.2.0.1	cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::*
oracle	workload_manager	18c	cpe:2.3:a:oracle:workload_manager:18c:::::::*
oracle	workload_manager	19c	cpe:2.3:a:oracle:workload_manager:19c:::::::*

References for CVE-2020-1935

URL	Tags
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html	Broken Link Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20200327-0005/	Third Party Advisory
https://usn.ubuntu.com/4448-1/	Third Party Advisory
https://www.debian.org/security/2020/dsa-4673	Third Party Advisory
https://www.debian.org/security/2020/dsa-4680	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory

URL

CVE-2020-1935

Exploit prediction scoring system (EPSS) score for CVE-2020-1935

Common vulnerability scoring system (CVSS) metrics for CVE-2020-1935

Weakness enumeration for CVE-2020-1935

GitHub Security Advisory for CVE-2020-1935

OS Trackers for CVE-2020-1935

Affected software / configurations for CVE-2020-1935

References for CVE-2020-1935