CVE-2022-42252 — HTTP Request Smuggling in Apache Tomcat

CWE-444 — HTTP Request Smuggling CWE-20 — Improper Input Validation12 documents10 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 59.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedNov 1

Latest updateJul 9

Description

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/tomcat8.5.0 — 8.5.83+3

▶CVEListV5apache_software_foundation/apache_tomcat10.1.0-M1 — 10.1.0+3

🔴Vulnerability Details

GHSA

Apache Tomcat may reject request containing invalid Content-Length header↗2022-11-01

▶

CVEList

Apache Tomcat request smuggling via malformed content-length↗2022-11-01

▶

OSV

Apache Tomcat may reject request containing invalid Content-Length header↗2022-11-01

▶

OSV

CVE-2022-42252: If Apache Tomcat 8↗2022-11-01

▶

📋Vendor Advisories

Ubuntu

Tomcat vulnerability↗2024-07-09

▶

Atlassian

CVE-2022-42252: Request Smuggling org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server↗2024-01-16

▶

Oracle

Oracle Oracle Communications Risk Matrix: BEServer (Apache Tomcat) — CVE-2022-42252↗2023-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: DBPlugin (Apache Tomcat) — CVE-2022-42252↗2023-01-15

▶

Red Hat

tomcat: request smuggling↗2022-10-31

▶