cbcvebase.
CVE-2005-2090
published 2005-07-05

CVE-2005-2090: Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection…

PriorityP428medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
29.78%
98.0th percentile
Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

Affected

174 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat<= 6.0.37
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

  • Detect HTTP Request Smuggling via simultaneous presence of 'Transfer-Encoding: chunked' header and a Content-Length header in the same request sent to Tomcat
  • Detect requests containing multiple Content-Length headers, which should be rejected as invalid and indicate a smuggling/poisoning attempt
  • Flag requests combining a Content-Length header with chunked transfer-encoding over HTTP or AJP connectors as potential smuggling attempts (incomplete fix vector)
  • ·Affected versions for the original CVE-2005-2090 include Tomcat 5.0.0–5.0.HEAD and 5.5.0–5.5.22; Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) are specifically named as vulnerable
  • ·Intermediate proxy/firewall/cache components in the request chain that do not reject malformed requests are a prerequisite for successful exploitation; the attack requires multiple components making different decisions about which Content-Length value to use

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_apache4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.