FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Tomcat -- Request Smuggling

Affected packages
8.5.0 <= tomcat < 8.5.83
9.0.0-M1 <= tomcat < 9.0.68
10.0.0-M1 <= tomcat < 10.0.27
10.1.0-M1 <= tomcat < 10.1.1
8.5.0 <= tomcat85 < 8.5.83
9.0.0-M1 <= tomcat9 < 9.0.68
10.0.0-M1 <= tomcat10 < 10.0.27
10.1.0-M1 <= tomcat101 < 10.1.1
10.1.0-M1 <= tomcat-devel < 10.1.1

Details

VuXML ID 556fdf03-6785-11ed-953b-002b67dfc673
Discovery 2022-10-31
Entry 2022-11-18

Apache Tomcat reports:

If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The CVSS score for this vulnerability is 7.5 High

References

CVE Name CVE-2022-42252
URL https://nvd.nist.gov/vuln/detail/CVE-2022-42252