Improper Input Validation in tomcat8 | CVE-2023-45648

Q: How to fix?

Upgrade Amazon-Linux:2018.03 tomcat8 to version 0:8.5.94-1.95.amzn1 or higher. This issue was patched in ALAS-2023-1868 .

Threat Intelligence

0.45% (75^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-AMZN201803-TOMCAT8-6003666
published18 Oct 2023
disclosed10 Oct 2023

Report a new vulnerability Found a mistake?

Introduced: 10 Oct 2023

CVE-2023-45648 (opens in a new tab) CWE-20 (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2018.03 tomcat8 to version 0:8.5.94-1.95.amzn1 or higher.
This issue was patched in ALAS-2023-1868.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tomcat8 package and not the tomcat8 package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

References

CVSS Scores

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Privileges Required (PR)
None
User Interaction (UI)
None

Scope (S)
Unchanged

Confidentiality (C)
None
Integrity (I)
Low
Availability (A)
None

Improper Input Validation Affecting tomcat8 package, versions <0:8.5.94-1.95.amzn1

Severity