CVE-2023-45648

2023-10-1019:15:09

Debian Security Bug Tracker

security-tracker.debian.org

apache tomcat

input validation

http trailer headers

request smuggling

upgrade

cve-2023-45648

unix

6.1 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.1%

JSON

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

OSVersionArchitecturePackageVersionFilename
Debian12alltomcat10< 10.1.6-1+deb12u1tomcat10_10.1.6-1+deb12u1_all.deb
Debian999alltomcat10< 10.1.14-1tomcat10_10.1.14-1_all.deb
Debian13alltomcat10< 10.1.14-1tomcat10_10.1.14-1_all.deb
Debian12alltomcat9< 9.0.70-2tomcat9_9.0.70-2_all.deb
Debian11alltomcat9< 9.0.43-2~deb11u7tomcat9_9.0.43-2~deb11u7_all.deb
Debian10alltomcat9< 9.0.31-1~deb10u9tomcat9_9.0.31-1~deb10u9_all.deb
Debian999alltomcat9< 9.0.70-2tomcat9_9.0.70-2_all.deb
Debian13alltomcat9< 9.0.70-2tomcat9_9.0.70-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	tomcat10	< 10.1.6-1+deb12u1	tomcat10_10.1.6-1+deb12u1_all.deb
Debian	999	all	tomcat10	< 10.1.14-1	tomcat10_10.1.14-1_all.deb
Debian	13	all	tomcat10	< 10.1.14-1	tomcat10_10.1.14-1_all.deb
Debian	12	all	tomcat9	< 9.0.70-2	tomcat9_9.0.70-2_all.deb
Debian	11	all	tomcat9	< 9.0.43-2~deb11u7	tomcat9_9.0.43-2~deb11u7_all.deb
Debian	10	all	tomcat9	< 9.0.31-1~deb10u9	tomcat9_9.0.31-1~deb10u9_all.deb
Debian	999	all	tomcat9	< 9.0.70-2	tomcat9_9.0.70-2_all.deb
Debian	13	all	tomcat9	< 9.0.70-2	tomcat9_9.0.70-2_all.deb