CVE-2023-45648: Apache Tomcat - HTTP Request Smuggling
漏洞描述
Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers. [已公开] id: CVE-2023-45648 info: name: Apache Tomcat - HTTP Request Smuggling author: 0x_Akoko severity: medium description: | Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers. impact: | Attackers can perform request smuggling, potentially leading to cache poisoning, session hijacking, or bypassing security controls. remediation: | Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later. reference: - https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp - https://hackerone.com/reports/2299692 - https://nvd.nist.gov/vuln/detail/CVE-2023-45648 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L
影响范围
未知
修复建议
暂无