CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy. Mitigation: Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 11.0.0-M11 or later Upgrade to Apache Tomcat 10.1.16 or later Upgrade to Apache Tomcat 9.0.83 or later Upgrade to Apache Tomcat 8.5.96 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Norihito Aimoto (OSSTech Corporation). History: 2023-11-28 Original advisory References: 1. https://tomcat.apache.org/security-11.html 2. https://tomcat.apache.org/security-10.html 3. https://tomcat.apache.org/security-9.html 4. https://tomcat.apache.org/security-8.html