CVE-2023-46589

Apache Tomcat: HTTP request smuggling via malformed trailer headers

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Vulnerabilidad de validación de entrada incorrecta en Apache Tomcat.Tomcat desde 11.0.0-M1 hasta 11.0.0-M10, desde 10.1.0-M1 hasta 10.1.15, desde 9.0.0-M1 hasta 9.0.82 y desde 8.5.0 hasta 8.5 .95 no analizó correctamente los encabezados de las colas HTTP. Un encabezado de avance que exceda el límite de tamaño del encabezado podría hacer que Tomcat trate una sola solicitud como solicitudes múltiples, lo que generaría la posibilidad de contrabando de solicitudes cuando se encuentre detrás de un proxy inverso. Se recomienda a los usuarios actualizar a la versión 11.0.0-M11 en adelante, 10.1.16 en adelante, 9.0.83 en adelante o 8.5.96 en adelante, que solucionan el problema.

An improper Input validation flaw was found in Apache Tomcat due to incorrect parsing of HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.

*Credits: Norihito Aimoto (OSSTech Corporation)

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-23 CVE Reserved
2023-11-28 CVE Published
2024-01-10 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html
https://security.netapp.com/advisory/ntap-20231214-0009
https://www.openwall.com/lists/oss-security/2023/11/28/2	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr	2024-01-05
https://access.redhat.com/security/cve/CVE-2023-46589	2024-05-23
https://bugzilla.redhat.com/show_bug.cgi?id=2252050	2024-05-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 8.5.0 < 8.5.96 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 < 8.5.96"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 9.0.0 < 9.0.83 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.0 < 9.0.83"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				>= 10.1.0 < 10.1.16 Search vendor "Apache" for product "Tomcat" and version " >= 10.1.0 < 10.1.16"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone1		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone10		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone2		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone3		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone4		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone5		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone6		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone7		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone8		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				11.0.0 Search vendor "Apache" for product "Tomcat" and version "11.0.0"		milestone9		Affected