CVE-2023-46589

HIGH Year: 2023
CVSS v3 Score
7.5
High
Weakness Type
CWE-444
View all →

Vulnerability Description

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Related Vulnerabilities

CVE-2017-12165

HIGH
CVSS:7.5(High)

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

CWE-4442017

CVE-2017-7656

HIGH
CVSS:7.5(High)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line ...

CWE-4442017

CVE-2019-1020012

HIGH
CVSS:7.5(High)

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

CWE-4442019

CVE-2019-16276

HIGH
CVSS:7.5(High)

Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.

CWE-4442019

CVE-2019-16785

HIGH
CVSS:7.5(High)

Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize ...

CWE-4442019

CVE-2019-16786

HIGH
CVSS:7.5(High)

Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header i...

CWE-4442019