Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas <ma...@apache.org>:
> On 14/12/2023 15:33, Benny Prange wrote: > > Hi all, > > > > I am having trouble understanding the description of CVE-2023-46589. > > Does this CVE affect scenarios where the Apache Tomcat is the reverse > > proxy, or or when the Apache Tomcat is running behind a reverse proxy? > > Is the Tomcat vulnerable to request smuggling, or other applications > > running behind the Tomcat? > > Tomcat does not provide reverse proxy configuration. > > This CVE applies when Tomcat is behind a reverse proxy. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks for the quick response. I'm afraid I still can't grasp it: >From my understanding, the trailer header is used in HTTP responses. How can this lead to request smuggling? Why is it important that there is a reverse proxy in front of the Tomcat, or would the CVE also be applicable without a reverse proxy? Thanks a lot Benny