Show plain JSON{"affected_release": [{"advisory": "RHSA-2024:1319", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package": "tomcat", "product_name": "JWS 5.7.8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1325", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0", "package": "tomcat", "product_name": "JWS 6.0.1", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:0539", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "tomcat-1:9.0.62-27.el8_9.3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-29T00:00:00Z"}, {"advisory": "RHSA-2024:0532", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "tomcat-1:9.0.62-5.el8_8.3", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-29T00:00:00Z"}, {"advisory": "RHSA-2024:1134", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "tomcat-1:9.0.62-37.el9_3.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:1092", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "tomcat-1:9.0.62-11.el9_2.4", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:3354", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "tomcat", "product_name": "Red Hat Fuse 7.13.0", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package": "jws5-tomcat-0:9.0.62-41.redhat_00020.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package": "jws5-tomcat-0:9.0.62-41.redhat_00020.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1318", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package": "jws5-tomcat-0:9.0.62-41.redhat_00020.1.el9jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1324", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el8", "package": "jws6-tomcat-0:10.1.8-6.redhat_00013.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 8", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1324", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.0::el9", "package": "jws6-tomcat-0:10.1.8-6.redhat_00013.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.0 on RHEL 9", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "tomcat: HTTP request smuggling via malformed trailer headers", "id": "2252050", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252050"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\nUsers are recommended to upgrade to version 11.0.0-M11\u00a0onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.", "An improper Input validation flaw was found in Apache Tomcat due to incorrect parsing of HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-46589", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pki-servlet-container", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "streams for Apache Kafka"}], "public_date": "2023-11-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-46589\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46589\nhttp://www.openwall.com/lists/oss-security/2023/11/28/2\nhttps://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr"], "statement": "This vulnerability in Apache Tomcat is of significant importance due to its potential to exploit HTTP request smuggling, presenting a security risk for web applications utilizing Tomcat. The flaw arises from Tomcat's improper parsing of HTTP trailer headers, where a specifically crafted header exceeding the size limit could cause Tomcat to treat a single request as multiple ones. This opens the door for attackers to manipulate requests and potentially conduct various malicious activities, such as unauthorized access, data exposure, or other exploits, particularly when Tomcat is deployed behind a reverse proxy. \nThe pki-servlet-engine package has been obsoleted by the Tomcat package. Therefore, this issue will be fixed in the Tomcat package rather than the pki-serlvet-engine package. Please follow the RHEL Tomcat trackers instead for the updates.", "threat_severity": "Important"}