Apache Tomcat may reject request containing invalid Content-Length header
High severity
GitHub Reviewed
Published
Nov 1, 2022
to the GitHub Advisory Database
•
Updated Apr 23, 2024
Package
Affected versions
>= 8.5.0, < 8.5.83
>= 9.0.0-M1, < 9.0.68
>= 10.0.0-M1, < 10.0.27
>= 10.1.0-M1, < 10.1.1
Patched versions
8.5.83
9.0.68
10.0.27
10.1.1
>= 9.0.0-M1, < 9.0.68
>= 10.0.0-M1, < 10.0.27
>= 10.1.0-M1, < 10.1.1
9.0.68
10.0.27
10.1.1
Description
Published by the National Vulnerability Database
Nov 1, 2022
Published to the GitHub Advisory Database
Nov 1, 2022
Reviewed
Nov 1, 2022
Last updated
Apr 23, 2024
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
References