Published: 01/11/2022 Updated: 30/05/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache tomcat

Synopsis Low: Red Hat JBoss Web Server 572 release and security update Type/Severity Security Advisory: Low Topic Red Hat JBoss Web Server 572 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Microsoft WindowsRed Hat Product Security has rated this release as having ...

Synopsis Low: Red Hat JBoss Web Server 572 release and security update Type/Severity Security Advisory: Low Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat JBoss Web Server 572 on Red Hat Enterprise Linux versions 7, 8, a ...

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine CVE-2022-42252 Apache Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if To ...

DescriptionA flaw was found in Apache Tomcat If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid Content-Length header, making it vulnerable to a request smuggling attackA flaw was found in Apache Tomcat If the server is configured to ignore invalid HTTP headers, the serve ...

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9047 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 1010 to 1010-M12, 1000-M1 to 10018, 900-M1 to 9060 and 850 to 8577 that could cause client connections to share an Http11 ...

If Apache Tomcat 850 to 8582, 900-M1 to 9067, 1000-M1 to 10026 or 1010-M1 to 1010 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 85x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was lo ...

CWE-444 https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq https://security.gentoo.org/glsa/202305-37 https://access.redhat.com/errata/RHSA-2023:1664 https://nvd.nist.gov https://www.debian.org/security/2023/dsa-5381

CVE-2022-42252

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect