CVE-2023-46589

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.0-M10 Apache Tomcat versions 10.1.0-M1 through 10.1.15 Apache Tomcat versions 9.0.0-M1 through 9.0.82 Apache Tomcat versions 8.5.0 through 8.5.95

Description The issue is related to an Improper Input Validation vulnerability in Apache Tomcat, where Tomcat does not correctly parse HTTP trailer headers. If a trailer header exceeds the header size limit, Tomcat may treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.

Recommendations To resolve the issue, upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards, which fix the issue. For Bitbucket Data Center and Server, upgrade to a release greater than or equal to 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, or 8.16.2. For Bamboo Data Center and Server, upgrade to a release greater than or equal to 9.2.8, 9.3.6, or 9.4.2. As a temporary workaround, consider restricting access to the vulnerable module to minimize the risk of exploitation.