Apache · Apache Tomcat · CVE-2023-46589
**Name of the Vulnerable Software and Affected Versions**
Apache Tomcat versions 11.0.0-M1 through 11.0.0-M10
Apache Tomcat versions 10.1.0-M1 through 10.1.15
Apache Tomcat versions 9.0.0-M1 through 9.0.82
Apache Tomcat versions 8.5.0 through 8.5.95
**Description**
The issue is related to an Improper Input Validation vulnerability in Apache Tomcat, where Tomcat does not correctly parse HTTP trailer headers. If a trailer header exceeds the header size limit, Tomcat may treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.
**Recommendations**
To resolve the issue, upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards, or 8.5.96 onwards, which fix the issue.
For Bitbucket Data Center and Server, upgrade to a release greater than or equal to 7.21.21, 8.9.9, 8.13.5, 8.14.4, 8.15.3, or 8.16.2.
For Bamboo Data Center and Server, upgrade to a release greater than or equal to 9.2.8, 9.3.6, or 9.4.2.
As a temporary workaround, consider restricting access to the vulnerable module to minimize the risk of exploitation.