CVE-2023-46589

EPSS 56.3%
Published 28.11.2023 16:15:06
Last modified 07.08.2025 11:15:28
Source security@apache.org
Teams watchlist Login
Open Login

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.


Older, EOL versions may also be affected.


Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 8.5.0 < 8.5.96

Apache ≫ Tomcat Version >= 9.0.0 < 9.0.83

Apache ≫ Tomcat Version >= 10.1.0 < 10.1.16

Apache ≫ Tomcat Version11.0.0 Updatemilestone1

Apache ≫ Tomcat Version11.0.0 Updatemilestone10

Apache ≫ Tomcat Version11.0.0 Updatemilestone2

Apache ≫ Tomcat Version11.0.0 Updatemilestone3

Apache ≫ Tomcat Version11.0.0 Updatemilestone4

Apache ≫ Tomcat Version11.0.0 Updatemilestone5

Apache ≫ Tomcat Version11.0.0 Updatemilestone6

Apache ≫ Tomcat Version11.0.0 Updatemilestone7

Apache ≫ Tomcat Version11.0.0 Updatemilestone8

Apache ≫ Tomcat Version11.0.0 Updatemilestone9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	56.3%	0.98

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr

Vendor Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html

https://security.netapp.com/advisory/ntap-20231214-0009/

https://www.openwall.com/lists/oss-security/2023/11/28/2

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-46589

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-46589

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-46589

EUVD