oss-sec mailing list archives
CVE-2022-42252: Apache Tomcat - Request Smuggling
From: Mark Thomas <markt () apache org>
Date: Mon, 31 Oct 2022 16:53:36 +0000
CVE-2022-42252 Apache Tomcat - Request Smuggling Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0 Apache Tomcat 10.0.0-M1 to 10.0.26 Apache Tomcat 9.0.0-M1 to 9.0.67 Apache Tomcat 8.5.0 to 8.5.52 Description: If Tomcat was configured to ignore invalid HTTP headers via settingrejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
Mitigation: Users of the affected versions should apply one of the following mitigations: - Ensure rejectIllegalHeader is set to true - Upgrade to Apache Tomcat 10.1.1 or later - Upgrade to Apache Tomcat 10.0.27 or later - Upgrade to Apache Tomcat 9.0.68 or later - Upgrade to Apache Tomcat 8.5.83 or later Credit:Thanks to Sam Shahsavar who discovered this issue and reported it to the Apache Tomcat security team.
History: 2022-10-31 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
Current thread:
- CVE-2022-42252: Apache Tomcat - Request Smuggling Mark Thomas (Oct 31)