CVE-2005-2090Improper Input Validation in Apache Tomcat

CWE-20Improper Input Validation16 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
82.0%
top 0.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJul 5
Latest updateMay 14

Description

Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat4.1.24, 5.0.19+1

🔴Vulnerability Details

4
GHSA
Apache Tomcat is vulnerable to HTTP request-smuggling2022-05-14
OSV
Tomcat Vulnerable to Web Cache Poisoning2022-05-01
GHSA
Tomcat Vulnerable to Web Cache Poisoning2022-05-01
CVEList
CVE-2005-2090: Jakarta Tomcat 52005-06-30

📋Vendor Advisories

3
Red Hat
tomcat: multiple content-length header poisoning flaws2014-02-25
Red Hat
tomcat multiple content-length header poisioning2005-06-06
Apache
Apache tomcat: CVE-2005-2090

💬Community

8
Bugzilla
CVE-2013-4286 tomcat: multiple content-length header poisoning flaws2014-02-25
Bugzilla
A number of tomcat issues2007-05-09
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835 CVE-2005-3510 CVE-2005-4838)2007-04-30
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)2007-04-19
Bugzilla
CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195)2007-04-19
CVE-2005-2090 — Improper Input Validation in Apache | cvebase