HTTP Request Smuggling Affecting org.apache.tomcat:tomcat-coyote package, versions [7.0.98,7.0.100) [8.5.48,8.5.51) [9.0.28,9.0.31)
Proof of concept
Do your applications use this vulnerable package?
25 Feb 2020
24 Feb 2020
How to fix?
org.apache.tomcat:tomcat-coyote to version 7.0.100, 8.5.51, 9.0.31 or higher.
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.
Affected versions of this package are vulnerable to HTTP Request Smuggling. Invalid
Transfer-Encoding headers were incorrectly processed, leading to possible information exposure if Tomcat was located behind a reverse proxy that incorrectly handled the invalid