CVE-2023-45648

Improper Input Validation vulnerability in Apache Tomcat.Tomcatfrom 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially 
crafted, invalid trailer header could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.

Older, EOL versions may also be affected.


Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
apachetomcat
8.5.93 ≤
𝑥
≤ 8.5.93
apachetomcat
8.5.0 ≤
𝑥
< 8.5.94
apachetomcat
9.0.1 ≤
𝑥
< 9.0.81
apachetomcat
10.1.1 ≤
𝑥
< 10.1.14
apachetomcat
9.0.0:milestone1
apachetomcat
9.0.0:milestone10
apachetomcat
9.0.0:milestone11
apachetomcat
9.0.0:milestone12
apachetomcat
9.0.0:milestone13
apachetomcat
9.0.0:milestone14
apachetomcat
9.0.0:milestone15
apachetomcat
9.0.0:milestone16
apachetomcat
9.0.0:milestone17
apachetomcat
9.0.0:milestone18
apachetomcat
9.0.0:milestone19
apachetomcat
9.0.0:milestone2
apachetomcat
9.0.0:milestone20
apachetomcat
9.0.0:milestone21
apachetomcat
9.0.0:milestone22
apachetomcat
9.0.0:milestone23
apachetomcat
9.0.0:milestone24
apachetomcat
9.0.0:milestone25
apachetomcat
9.0.0:milestone26
apachetomcat
9.0.0:milestone27
apachetomcat
9.0.0:milestone3
apachetomcat
9.0.0:milestone4
apachetomcat
9.0.0:milestone5
apachetomcat
9.0.0:milestone6
apachetomcat
9.0.0:milestone7
apachetomcat
9.0.0:milestone8
apachetomcat
9.0.0:milestone9
apachetomcat
10.1.0:milestone1
apachetomcat
10.1.0:milestone10
apachetomcat
10.1.0:milestone11
apachetomcat
10.1.0:milestone12
apachetomcat
10.1.0:milestone13
apachetomcat
10.1.0:milestone14
apachetomcat
10.1.0:milestone15
apachetomcat
10.1.0:milestone16
apachetomcat
10.1.0:milestone17
apachetomcat
10.1.0:milestone18
apachetomcat
10.1.0:milestone19
apachetomcat
10.1.0:milestone2
apachetomcat
10.1.0:milestone20
apachetomcat
10.1.0:milestone3
apachetomcat
10.1.0:milestone4
apachetomcat
10.1.0:milestone5
apachetomcat
10.1.0:milestone6
apachetomcat
10.1.0:milestone7
apachetomcat
10.1.0:milestone8
apachetomcat
10.1.0:milestone9
apachetomcat
11.0.0:milestone1
apachetomcat
11.0.0:milestone10
apachetomcat
11.0.0:milestone11
apachetomcat
11.0.0:milestone2
apachetomcat
11.0.0:milestone3
apachetomcat
11.0.0:milestone4
apachetomcat
11.0.0:milestone5
apachetomcat
11.0.0:milestone6
apachetomcat
11.0.0:milestone7
apachetomcat
11.0.0:milestone8
apachetomcat
11.0.0:milestone9
debiandebian_linux
10.0
debiandebian_linux
11.0
debiandebian_linux
12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
10.1.6-1+deb12u2
fixed
bookworm (security)
10.1.6-1+deb12u2
fixed
sid
10.1.34-1
fixed
trixie
10.1.34-1
fixed
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
fixed
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat10
oracular
not-affected
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
tomcat8
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
ignored
tomcat9
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
Fixed 9.0.58-1ubuntu0.1+esm4
released
focal
Fixed 9.0.31-1ubuntu0.8
released
bionic
Fixed 9.0.16-3ubuntu0.18.04.2+esm4
released
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
http://www.openwall.com/lists/oss-security/2023/10/10/10
https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://security.netapp.com/advisory/ntap-20231103-0007/
https://www.debian.org/security/2023/dsa-5521
https://www.debian.org/security/2023/dsa-5522