Apache Tomcat: HTTP request smuggling via malformed trailer headers
Description
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.0-M11 | 11.0.0-M11 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.16 | 10.1.16 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0-M1, < 9.0.83 | 9.0.83 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.96 | 8.5.96 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.0-M11 | 11.0.0-M11 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.16 | 10.1.16 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M1, < 9.0.83 | 9.0.83 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.96 | 8.5.96 |
Affected products
39- osv-coords38 versionspkg:apk/chainguard/spark-3.5.0-compatpkg:apk/chainguard/spark-3.5.0-compat-minimalpkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcat-catalinapkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
< 3.5.0-r4+ 37 more
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: >= 8.5.0, < 8.5.96
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M11
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M11
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 1:9.0.62-27.el8_9.3
- (no CPE)range: < 10.1.18-150200.5.8.1
- (no CPE)range: < 10.1.18-1.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-1.1
- (no CPE)range: < 10.1.18-150200.5.8.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-150100.4.105.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-3.118.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.105.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.36-3.118.1
- (no CPE)range: < 9.0.36-150100.4.105.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.85-150200.57.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
15- github.com/advisories/GHSA-fccv-jmmp-qg76ghsaADVISORY
- lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxrghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-46589ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/28/2ghsaWEB
- github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041bghsaWEB
- github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebdghsaWEB
- github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642ghsaWEB
- github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08ghsaWEB
- lists.debian.org/debian-lts-announce/2024/01/msg00001.htmlghsaWEB
- security.netapp.com/advisory/ntap-20231214-0009ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.openwall.com/lists/oss-security/2023/11/28/2ghsaWEB
News mentions
0No linked articles in our index yet.