| VID |
210229 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The version of Tomcat installed on the remote host is prior to 10.0.27.
It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.27_security-10 advisory.
- If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. (CVE-2022-42252)
* References:
https://github.com/apache/tomcat/commit/0d089a15047faf9cb3c82f80f4d28febd4798920
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.27
* Platforms Affected:
Apache Tomcat Server versions 10.0.x prior to 10.0.27
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache Tomcat Server (10.0.27 or later), available from the Apache Software Foundation download site, http://tomcat.apache.org/ |
| Related URL |
CVE-2022-42252 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
