GoogleOSV:GHSA-FCCV-JMMP-QG76Apache Tomcat Improper Input Validation vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
76.1%
Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
References
www.openwall.com/lists/oss-security/2023/11/28/2
github.com/apache/tomcat
github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b
github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd
github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642
github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
lists.debian.org/debian-lts-announce/2024/01/msg00001.html
nvd.nist.gov/vuln/detail/CVE-2023-46589
security.netapp.com/advisory/ntap-20231214-0009
tomcat.apache.org/security-10.html
tomcat.apache.org/security-11.html
tomcat.apache.org/security-8.html
tomcat.apache.org/security-9.html
www.openwall.com/lists/oss-security/2023/11/28/2
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
76.1%