CVE-2023-46589

CWE-444 — HTTP Request Smuggling CWE-20 — Improper Input Validation14 documents10 sources

Severity

7.5HIGH

EPSS

51.4%

top 2.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedNov 28

Latest updateApr 15

Description

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDapache/tomcat8.5.0 — 8.5.96+3

▶Mavenorg.apache.tomcat:tomcat-catalina11.0.0-M1 — 11.0.0-M11+3

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M1 — 11.0.0-M11+3

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.0-M10+3

▶Debiantomcat9< 9.0.43-2~deb11u10+3

🔴Vulnerability Details

OSV

Apache Tomcat Improper Input Validation vulnerability↗2023-11-28

▶

OSV

CVE-2023-46589: Improper Input Validation vulnerability in Apache Tomcat↗2023-11-28

▶

GHSA

Apache Tomcat Improper Input Validation vulnerability↗2023-11-28

▶

CVEList

Apache Tomcat: HTTP request smuggling via malformed trailer headers↗2023-11-28

▶

📋Vendor Advisories

Oracle

Oracle Oracle Retail Applications Risk Matrix: Xenvironment (Apache Tomcat) — CVE-2023-46589↗2025-04-15

▶

Ubuntu

Tomcat vulnerability↗2024-09-24

▶

Oracle

Oracle Oracle Communications Risk Matrix: Alarms, KPI, and Measurements (Apache Tomcat) — CVE-2023-46589↗2024-07-15

▶

Oracle

Oracle Oracle Big Data Spatial and Graph Risk Matrix: Big Data Graph (Apache Tomcat) — CVE-2023-46589↗2024-04-15

▶

Atlassian

CVE-2023-46589: from 9.12.0 (LTS) to 9.12.1 (LTS) from 9.11.0 to 9.11.3 from 9.10.0 to 9.10.2 from 9.9.0 to 9.9.2 from 9.8.0 to 9.8.2 fr↗2024-02-20

▶