CVE-2022-42252

Apache Tomcat request smuggling via malformed content-length

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Si Apache Tomcat 8.5.0 a 8.5.82, 9.0.0-M1 a 9.0.67, 10.0.0-M1 a 10.0.26 o 10.1.0-M1 a 10.1.0 se configuró para ignorar encabezados HTTP no válidos mediante la configuración de rechazarIllegalHeader a falso (el valor predeterminado solo para 8.5.x), Tomcat no rechazó una solicitud que contenía un encabezado Content-Length no válido, lo que hace posible un ataque de contrabando de solicitudes si Tomcat estaba ubicado detrás de un proxy inverso que tampoco rechazó la solicitud con el encabezado no válido.

A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack.

*Credits: Thanks to Sam Shahsavar who discovered this issue and reported it to the Apache Tomcat security team.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-03 CVE Reserved
2022-11-01 CVE Published
2024-06-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (4)

URL	Tag	Source
https://security.gentoo.org/glsa/202305-37

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq	2023-05-30
https://access.redhat.com/security/cve/CVE-2022-42252	2023-04-12
https://bugzilla.redhat.com/show_bug.cgi?id=2141329	2023-04-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 8.5.0 < 8.5.83 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 < 8.5.83"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 9.0.0 < 9.0.68 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 < 9.0.68"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 10.0.0 < 10.0.27 Search vendor "Apache" for product "Tomcat" and version " >= 10.0.0 < 10.0.27"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 10.1.0 < 10.1.1 Search vendor "Apache" for product "Tomcat" and version " >= 10.1.0 < 10.1.1"		-		Affected