What is CVE-2023-46589?

CVE-2023-46589 is an Improper Input Validation vulnerability in Apache Tomcat that allows for HTTP request smuggling via malformed trailer headers.

How does CVE-2023-46589 affect Apache Tomcat?

CVE-2023-46589 affects Apache Tomcat versions 8.5.0 through 8.5.95, 9.0.0-M1 through 9.0.82, 10.1.0-M1 through 10.1.15, and 11.0.0-M1 through 11.0.0-M10.

What is the remedy for CVE-2023-46589 in Apache Tomcat version 8.5.96?

The remedy for CVE-2023-46589 in Apache Tomcat version 8.5.96 is to update to that specific version or a later version.

What is the remedy for CVE-2023-46589 in Apache Tomcat version 9.0.83?

The remedy for CVE-2023-46589 in Apache Tomcat version 9.0.83 is to update to that specific version or a later version.

What is the remedy for CVE-2023-46589 in Apache Tomcat version 10.1.16?

The remedy for CVE-2023-46589 in Apache Tomcat version 10.1.16 is to update to that specific version or a later version.

What is the remedy for CVE-2023-46589 in Apache Tomcat version 11.0.0-M11?

The remedy for CVE-2023-46589 in Apache Tomcat version 11.0.0-M11 is to update to that specific version or a later version.

Vulnerability/
CVE-2023-46589

high

7.5

CWE

444 20

28/11/2023

12/7/2024

CVE-2023-46589: Apache Tomcat: HTTP request smuggling via malformed trailer headers

First published: Tue Nov 28 2023(Updated: )

Affected versions: - Apache Tomcat 11.0.0-M1 through 11.0.0-M10 - Apache Tomcat 10.1.0-M1 through 10.1.15 - Apache Tomcat 9.0.0-M1 through 9.0.82 - Apache Tomcat 8.5.0 through 8.5.95 Description: Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. Credit: Norihito Aimoto (OSSTech Corporation) (finder) References: <a href="https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr">https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr</a> <a href="http://www.openwall.com/lists/oss-security/2023/11/28/2">http://www.openwall.com/lists/oss-security/2023/11/28/2</a>

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
redhat/tomcat	<9.0.83	9.0.83
Apache Tomcat	>=8.5.0<8.5.96
Apache Tomcat	>=9.0.0<9.0.83
Apache Tomcat	>=10.1.0<10.1.16
Apache Tomcat	=11.0.0-milestone1
Apache Tomcat	=11.0.0-milestone10
Apache Tomcat	=11.0.0-milestone2
Apache Tomcat	=11.0.0-milestone3
Apache Tomcat	=11.0.0-milestone4
Apache Tomcat	=11.0.0-milestone5
Apache Tomcat	=11.0.0-milestone6
Apache Tomcat	=11.0.0-milestone7
Apache Tomcat	=11.0.0-milestone8
Apache Tomcat	=11.0.0-milestone9
maven/org.apache.tomcat.embed:tomcat-embed-core	>=8.5.0<8.5.96	8.5.96
maven/org.apache.tomcat.embed:tomcat-embed-core	>=9.0.0-M1<9.0.83	9.0.83
maven/org.apache.tomcat.embed:tomcat-embed-core	>=10.1.0-M1<10.1.16	10.1.16
maven/org.apache.tomcat.embed:tomcat-embed-core	>=11.0.0-M1<11.0.0-M11	11.0.0-M11
maven/org.apache.tomcat:tomcat-catalina	>=8.5.0<8.5.96	8.5.96
maven/org.apache.tomcat:tomcat-catalina	>=9.0.0-M1<9.0.83	9.0.83
maven/org.apache.tomcat:tomcat-catalina	>=10.1.0-M1<10.1.16	10.1.16
maven/org.apache.tomcat:tomcat-catalina	>=11.0.0-M1<11.0.0-M11	11.0.0-M11
debian/tomcat10		10.1.6-1+deb12u2 10.1.30-1
debian/tomcat9		9.0.43-2~deb11u10 9.0.70-2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-46589?
CVE-2023-46589 is an Improper Input Validation vulnerability in Apache Tomcat that allows for HTTP request smuggling via malformed trailer headers.
How does CVE-2023-46589 affect Apache Tomcat?
CVE-2023-46589 affects Apache Tomcat versions 8.5.0 through 8.5.95, 9.0.0-M1 through 9.0.82, 10.1.0-M1 through 10.1.15, and 11.0.0-M1 through 11.0.0-M10.
What is the remedy for CVE-2023-46589 in Apache Tomcat version 8.5.96?
The remedy for CVE-2023-46589 in Apache Tomcat version 8.5.96 is to update to that specific version or a later version.
What is the remedy for CVE-2023-46589 in Apache Tomcat version 9.0.83?
The remedy for CVE-2023-46589 in Apache Tomcat version 9.0.83 is to update to that specific version or a later version.
What is the remedy for CVE-2023-46589 in Apache Tomcat version 10.1.16?
The remedy for CVE-2023-46589 in Apache Tomcat version 10.1.16 is to update to that specific version or a later version.
What is the remedy for CVE-2023-46589 in Apache Tomcat version 11.0.0-M11?
The remedy for CVE-2023-46589 in Apache Tomcat version 11.0.0-M11 is to update to that specific version or a later version.

collector/oss-sec
alias/CVE-2023-46589
agent/author
agent/type
agent/first-publish-date
agent/title
agent/weakness
agent/severity
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
collector/github-advisory-latest
source/GitHub
alias/GHSA-fccv-jmmp-qg76
agent/last-modified-date
collector/nvd-cve
collector/github-advisory
agent/references
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
agent/softwarecombine
agent/tags
collector/usn-cve
source/Ubuntu
agent/event
agent/description
agent/trending
package-manager/redhat
vendor/apache
canonical/apache tomcat
version/apache tomcat/8.5.0
version/apache tomcat/9.0.0
version/apache tomcat/10.1.0
version/apache tomcat/11.0.0-milestone1
version/apache tomcat/11.0.0-milestone10
version/apache tomcat/11.0.0-milestone2
version/apache tomcat/11.0.0-milestone3
version/apache tomcat/11.0.0-milestone4
version/apache tomcat/11.0.0-milestone5
version/apache tomcat/11.0.0-milestone6
version/apache tomcat/11.0.0-milestone7
version/apache tomcat/11.0.0-milestone8
version/apache tomcat/11.0.0-milestone9
package-manager/maven
package-manager/debian