CVE-2013-4286Improper Input Validation in Apache Tomcat

CWE-20Improper Input Validation9 documents7 sources
Severity
5.8MEDIUMNVD
CNA4.3GHSA4.3OSV4.3
EPSS
23.6%
top 4.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedFeb 26
Latest updateMay 14

Description

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

NVDapache/tomcat6.0.37+172

🔴Vulnerability Details

4
GHSA
Apache Tomcat is vulnerable to HTTP request-smuggling2022-05-14
OSV
Apache Tomcat is vulnerable to HTTP request-smuggling2022-05-14
CVEList
CVE-2013-4286: Apache Tomcat before 62014-02-26
OSV
CVE-2013-4286: Apache Tomcat before 62014-02-26

📋Vendor Advisories

2
Ubuntu
Tomcat vulnerabilities2014-03-06
Red Hat
tomcat: multiple content-length header poisoning flaws2014-02-25

💬Community

2
Bugzilla
CVE-2013-4322 CVE-2013-4590 CVE-2013-4286 tomcat: various flaws [fedora-all]2014-02-25
Bugzilla
CVE-2013-4286 tomcat: multiple content-length header poisoning flaws2014-02-25
CVE-2013-4286 — Improper Input Validation in Apache | cvebase