Tomcat vulnerable to Improper Input Validation attack
CVE-2023-45648

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 10 October 2023

Summary

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M11

Apache Tomcat 10.1.0-M1 <= 10.1.13

Apache Tomcat 9.0.0-M1 <= 9.0.81

References

https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/10/10/10

https://www.debian.org/security/2023/dsa-5522

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2023
Vulnerability Reserved
Oct 10, 2023

Credit

Keran Mu and Jianjun Chen from Tsinghua University and Zhongguancun Laboratory