exploitDog

GHSA-r6j3-px5g-cq3x

Опубликовано: 10 окт. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Apache Tomcat Improper Input Validation vulnerability

Improper Input Validation vulnerability in Apache Tomcat.

Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

Ссылки

Пакеты

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 11.0.0-M1, < 11.0.0-M12

11.0.0-M12

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 10.1.0-M1, < 10.1.14

10.1.14

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 9.0.0-M1, < 9.0.81

9.0.81

Наименование

org.apache.tomcat:tomcat

maven

Затронутые версииВерсия исправления

>= 8.5.0, < 8.5.94

8.5.94

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 11.0.0-M1, < 11.0.0-M12

11.0.0-M12

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 10.1.0-M1, < 10.1.14

10.1.14

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 9.0.0-M1, < 9.0.81

9.0.81

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 8.5.0, < 8.5.94

8.5.94

EPSS

Процентиль: 72%

0.00732

Низкий

5.3 Medium

CVSS3

CVE ID

Дефекты

CWE-20

Связанные уязвимости

CVE-2023-45648

CVSS3: 5.3

ubuntu

больше 1 года назад

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

CVE-2023-45648

CVSS3: 5.3

redhat

больше 1 года назад

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

CVE-2023-45648

CVSS3: 5.3

nvd

больше 1 года назад

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

CVE-2023-45648

CVSS3: 5.3

debian

больше 1 года назад

Improper Input Validation vulnerability in Apache Tomcat.Tomcatfrom 11 ...

BDU:2023-07041

CVSS3: 5.3

fstec

больше 1 года назад

Уязвимость сервера приложений Apache Tomcat, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 72%

0.00732

Низкий

5.3 Medium

CVSS3

CVE ID

Дефекты

CWE-20