CVE-2023-45648 Apache Tomcat - Request Smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93

Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 11.0.0-M12 or later
- Upgrade to Apache Tomcat 10.1.14 or later
- Upgrade to Apache Tomcat 9.0.81 or later
- Upgrade to Apache Tomcat 8.5.94 or later

This vulnerability was reported responsibly to the Tomcat security team by Keran Mu and Jianjun Chen from Tsinghua University and Zhongguancun Laboratory.

2023-10-10 Original advisory


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to