Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
42
Affected Products
32
References
apache / tomcat
| - |
| apache | tomee | - | - |
| debian | debian_linux | - | - |
| debian | debian_linux | - | - |
| oracle | agile_plm | - | - |
| oracle | communications_cloud_native_core_policy | - | - |
| oracle | communications_cloud_native_core_service_communication_proxy | - | - |
| oracle | communications_diameter_signaling_router | 8.0.0.0 - 8.5.0.2 | - |
| oracle | communications_instant_messaging_server | - | - |
| oracle | communications_policy_management | - | - |
| oracle | communications_pricing_design_center | - | - |
| oracle | communications_session_report_manager | 8.0.0 - 8.2.4.0 | - |
| oracle | communications_session_route_manager | 8.0.0 - 8.2.4 | - |
| oracle | graph_server_and_client | 21.4 | - |
| oracle | healthcare_translational_research | - | - |
| oracle | hospitality_cruise_shipboard_property_management_system | - | - |
| oracle | instantis_enterprisetrack | - | - |
| oracle | instantis_enterprisetrack | - | - |
| oracle | instantis_enterprisetrack | - | - |
| oracle | managed_file_transfer | - | - |
| oracle | managed_file_transfer | - | - |
| oracle | mysql_enterprise_monitor | 8.0.25 | - |
| oracle | sd-wan_edge | - | - |
| oracle | sd-wan_edge | - | - |
| oracle | secure_global_desktop | - | - |
| oracle | utilities_testing_accelerator | - | - |
| oracle | utilities_testing_accelerator | - | - |
| oracle | utilities_testing_accelerator | - | - |
| mcafee | epolicy_orchestrator | 5.10.0 | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
| mcafee | epolicy_orchestrator | - | - |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability
Impact