PT-2023-6329 · Apache+9 · Apache Tomcat+9

Jianjun Chen

Published

2023-10-10

Updated

2026-02-11

CVE-2023-45648

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.0-M11 Apache Tomcat versions 10.1.0-M1 through 10.1.13 Apache Tomcat versions 9.0.0-M1 through 9.0.81 Apache Tomcat versions 8.5.0 through 8.5.93

Description The issue is related to improper input validation in Apache Tomcat, where the server does not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.

Recommendations Upgrade to version 11.0.0-M12 onwards Upgrade to version 10.1.14 onwards Upgrade to version 9.0.81 onwards Upgrade to version 8.5.94 onwards

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2024:0125

ALSA-2024:0474

ALT-PU-2023-8058

ALT-PU-2024-4687

ALT-PU-2024-4975

ALT-PU-2025-2379

ALT-PU-2025-9146

BDU:2023-07041

BIT-TOMCAT-2023-45648

CESA-2024_0125

CVE-2023-45648

DLA-3617-1

DSA-5521-1

DSA-5522-1

GHSA-R6J3-PX5G-CQ3X

MGASA-2023-0319

OESA-2023-1788

OPENSUSE-SU-2024:13382-1

OPENSUSE-SU-2024_0472-1

RHSA-2023:6206

RHSA-2024:0125

RHSA-2024:0474

RHSA-2024_0125

RHSA-2024_0474

ROSA-SA-2024-2418

SUSE-SU-2023:4337-1

SUSE-SU-2023:4423-1

SUSE-SU-2024:0472-1

USN-7106-1

USN-7562-1

Affected Products

Alt Linux

Almalinux

Apache Tomcat

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Suse

Ubuntu

PT-2023-6329 · Apache+9 · Apache Tomcat+9

CVE-2023-45648

Weakness Enumeration

Related Identifiers

Affected Products

References · 101