Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <33d63ef9-833d-4878-97c0-d4b9bcaad077@apache.org>
Date: Tue, 28 Nov 2023 15:32:50 +0000
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-46589: Apache Tomcat: HTTP request smuggling via malformed
 trailer headers

Severity: important

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.0-M10
- Apache Tomcat 10.1.0-M1 through 10.1.15
- Apache Tomcat 9.0.0-M1 through 9.0.82
- Apache Tomcat 8.5.0 through 8.5.95

Description:

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 
11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 
9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly 
parse HTTP trailer headers. A trailer header that exceeded the header 
size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 
onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Credit:

Norihito Aimoto (OSSTech Corporation)  (finder)

References:

https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46589

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.