Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr | Mailing List Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html | |
https://security.netapp.com/advisory/ntap-20231214-0009/ | |
https://www.openwall.com/lists/oss-security/2023/11/28/2 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr | Mailing List Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html | |
https://security.netapp.com/advisory/ntap-20231214-0009/ | |
https://www.openwall.com/lists/oss-security/2023/11/28/2 | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:28
Type | Values Removed | Values Added |
---|---|---|
References | () https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr - Mailing List, Vendor Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html - | |
References | () https://security.netapp.com/advisory/ntap-20231214-0009/ - | |
References | () https://www.openwall.com/lists/oss-security/2023/11/28/2 - Mailing List, Third Party Advisory |
05 Jan 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Dec 2023, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | () https://www.openwall.com/lists/oss-security/2023/11/28/2 - Mailing List, Third Party Advisory |
05 Dec 2023, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
04 Dec 2023, 19:11
Type | Values Removed | Values Added |
---|---|---|
First Time |
Apache
Apache tomcat |
|
References | () http://www.openwall.com/lists/oss-security/2023/11/28/2 - Mailing List, Third Party Advisory | |
References | () https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr - Mailing List, Vendor Advisory | |
CPE | cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | CWE-444 |
28 Nov 2023, 18:29
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Nov 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-28 16:15
Updated : 2024-11-21 08:28
NVD link : CVE-2023-46589
Mitre link : CVE-2023-46589
CVE.ORG link : CVE-2023-46589
JSON object : View
Products Affected
apache
- tomcat
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')