CVE-2023-45648

Aliases:GHSA-r6j3-px5g-cq3xBIT-tomcat-2023-45648

Advisory lineage Upstream: 0 Downstream: 15

Downstream

DEBIAN-CVE-2023-45648 DLA-3617-1 DSA-5521-1 DSA-5522-1 MGASA-2023-0319 OPENSUSE-SU-2024:13382-1

Modified

Published: 10 Oct 2023, 18:38

Last modified:29 Oct 2025, 12:00

Vulnerability Summary

Overall Risk (default)

medium

34/100

CVSS Score

5.3 MEDIUM

v3.1 (cve.org)

EPSS Score

62.08% CRITICAL

62% probability +61.35%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Oct 2023, 18:38

Published

Vulnerability first disclosed

29 Oct 2025, 12:00

Last Modified

Vulnerability information updated

Description

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 62.08%• Percentile: 98%

Techniques & Countermeasures

CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

apache software foundation•apache tomcat
≥ 11.0.0-M1, ≤ 11.0.0-M11 | ≥ 10.1.0-M1, ≤ 10.1.13 | ≥ 9.0.0-M1, ≤ 9.0.81 | ≥ 8.5.0, ≤ 8.5.93
Unknown•Tomcat
≥ 8.5.0, < 8.5.94 | ≥ 9.0.1, < 9.0.81 | ≥ 10.1.1, < 10.1.14 | 9.0.0:milestone1 | 9.0.0:milestone10 | 9.0.0:milestone11 | 9.0.0:milestone12 | 9.0.0:milestone13 | 9.0.0:milestone14 | 9.0.0:milestone15 | 9.0.0:milestone16 | 9.0.0:milestone17 | 9.0.0:milestone18 | 9.0.0:milestone19 | 9.0.0:milestone2 | 9.0.0:milestone20 | 9.0.0:milestone21 | 9.0.0:milestone22 | 9.0.0:milestone23 | 9.0.0:milestone24 | 9.0.0:milestone25 | 9.0.0:milestone26 | 9.0.0:milestone27 | 9.0.0:milestone3 | 9.0.0:milestone4 | 9.0.0:milestone5 | 9.0.0:milestone6 | 9.0.0:milestone7 | 9.0.0:milestone8 | 9.0.0:milestone9 | 10.1.0:milestone1 | 10.1.0:milestone10 | 10.1.0:milestone11 | 10.1.0:milestone12 | 10.1.0:milestone13 | 10.1.0:milestone14 | 10.1.0:milestone15 | 10.1.0:milestone16 | 10.1.0:milestone17 | 10.1.0:milestone18 | 10.1.0:milestone19 | 10.1.0:milestone2 | 10.1.0:milestone20 | 10.1.0:milestone3 | 10.1.0:milestone4 | 10.1.0:milestone5 | 10.1.0:milestone6 | 10.1.0:milestone7 | 10.1.0:milestone8 | 10.1.0:milestone9 | 11.0.0:milestone1 | 11.0.0:milestone10 | 11.0.0:milestone11 | 11.0.0:milestone2 | 11.0.0:milestone3 | 11.0.0:milestone4 | 11.0.0:milestone5 | 11.0.0:milestone6 | 11.0.0:milestone7 | 11.0.0:milestone8 | 11.0.0:milestone9
debian•debian_linux
10.0 | 11.0 | 12.0
org.apache.tomcat•tomcat
≥ 11.0.0-M1, < 11.0.0-M12 | ≥ 10.1.0-M1, < 10.1.14 | ≥ 9.0.0-M1, < 9.0.81 | ≥ 8.5.0, < 8.5.94
org.apache.tomcat.embed•tomcat-embed-core
≥ 11.0.0-M1, < 11.0.0-M12 | ≥ 10.1.0-M1, < 10.1.14 | ≥ 9.0.0-M1, < 9.0.81 | ≥ 8.5.0, < 8.5.94