CVE-2023-45648
Description
Improper Input Validation vulnerability in Apache Tomcat.Tomcatfrom 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.Older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
Risk Information
Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
59.475
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795,CVE-2023-42794 are fixed in Apache Tomcat 9.0.81 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795,CVE-2023-42794 are fixed in Apache Tomcat 8.5.94 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.2.0.0 | Windows |
| Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.15 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.5 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 12.0 | Windows |
| Vulnerabilities CVE-2023-45648 are fixed in Apache - tomcat 11.0.0 | Windows |
| Vulnerabilities CVE-2023-45648 are fixed in Apache - tomcat 10.1.14 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-42795 are fixed in Apache - tomcat 9.0.81 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-42795 are fixed in Apache - tomcat 8.5.94 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core 11.0.0 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core 10.1.14 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core 9.0.81 | Windows |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core 8.5.94 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12 | Windows |
| Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.11 | Windows |
| Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.5.18 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.1.2.14 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.2.3.7 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.3.2.2 | Windows |
| tomcat10 security update(DSA-5521-1) tomcat10_10.1.6-1+deb12u1_all.deb | Linux |
| tomcat9 security update(DSA-5522-1) tomcat9_9.0.43-2~deb11u7_all.deb | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-admin-webapps-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-docs-webapp-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-el-3.0-api-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-jsp-2.3-api-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-lib-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-servlet-4.0-api-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0125)Moderate: security update tomcat-webapps-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat update (ELSA-2024-0125) tomcat-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-admin-webapps update (ELSA-2024-0125) tomcat-admin-webapps-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-docs-webapp update (ELSA-2024-0125) tomcat-docs-webapp-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-el-3.0-api update (ELSA-2024-0125) tomcat-el-3.0-api-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-jsp-2.3-api update (ELSA-2024-0125) tomcat-jsp-2.3-api-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-lib update (ELSA-2024-0125) tomcat-lib-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-servlet-4.0-api update (ELSA-2024-0125) tomcat-servlet-4.0-api-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| Tomcat-webapps update (ELSA-2024-0125) tomcat-webapps-9.0.62-27.el8_9.2.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-admin-webapps-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-docs-webapp-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-el-3.0-api-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-jsp-2.3-api-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-lib-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-servlet-4.0-api-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| (RHSA-2024:0474)Moderate: security update tomcat-webapps-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat update (ELSA-2024-0474) tomcat-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-admin-webapps update (ELSA-2024-0474) tomcat-admin-webapps-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-docs-webapp update (ELSA-2024-0474) tomcat-docs-webapp-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-el-3.0-api update (ELSA-2024-0474) tomcat-el-3.0-api-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-jsp-2.3-api update (ELSA-2024-0474) tomcat-jsp-2.3-api-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-lib update (ELSA-2024-0474) tomcat-lib-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-servlet-4.0-api update (ELSA-2024-0474) tomcat-servlet-4.0-api-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| Tomcat-webapps update (ELSA-2024-0474) tomcat-webapps-9.0.62-37.el9_3.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-9.0.85-150200.57.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-lib-9.0.85-150200.57.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-webapps-9.0.85-150200.57.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-el-3_0-api-9.0.85-150200.57.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-jsp-2_3-api-9.0.85-150200.57.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-admin-webapps-9.0.85-150200.57.1.noarch.rpm | Linux |
| SUSE-SU-2024:0472-1(Web and Scripting Module 15-SP5) tomcat-servlet-4_0-api-9.0.85-150200.57.1.noarch.rpm | Linux |
| Tomcat update (ELSA-2024-3307) tomcat-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-admin-webapps update (ELSA-2024-3307) tomcat-admin-webapps-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-docs-webapp update (ELSA-2024-3307) tomcat-docs-webapp-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-el-3.0-api update (ELSA-2024-3307) tomcat-el-3.0-api-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-jsp-2.3-api update (ELSA-2024-3307) tomcat-jsp-2.3-api-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-lib update (ELSA-2024-3307) tomcat-lib-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-servlet-4.0-api update (ELSA-2024-3307) tomcat-servlet-4.0-api-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Tomcat-webapps update (ELSA-2024-3307) tomcat-webapps-9.0.87-1.el9_4.1.noarch.rpm | Linux |
| Servlet and JSP engine (USN-7106-1) libtomcat9-java_9.0.31-1ubuntu0.8_all.deb | Linux |
| Servlet and JSP engine (USN-7106-1) tomcat9_9.0.31-1ubuntu0.8_all.deb | Linux |
| Vulnerabilities CVE-2023-45648 are fixed in Apache - tomcat for Linux 11.0.0 | Linux |
| Vulnerabilities CVE-2023-45648 are fixed in Apache - tomcat for Linux 10.1.14 | Linux |
| Vulnerabilities CVE-2023-45648,CVE-2023-42795 are fixed in Apache - tomcat for Linux 9.0.81 | Linux |
| Vulnerabilities CVE-2023-45648,CVE-2023-42795 are fixed in Apache - tomcat for Linux 8.5.94 | Linux |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core for Linux 11.0.0 | Linux |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core for Linux 10.1.14 | Linux |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core for Linux 9.0.81 | Linux |
| Vulnerabilities CVE-2023-45648,CVE-2023-44487,CVE-2023-42795 are fixed in Apache - tomcat-embed-core for Linux 8.5.94 | Linux |
| CVE-2023-45648 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234