GHSA-f2gq-p6qv-ccw4

Suggest an improvement
Source
https://github.com/advisories/GHSA-f2gq-p6qv-ccw4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f2gq-p6qv-ccw4/GHSA-f2gq-p6qv-ccw4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f2gq-p6qv-ccw4
Aliases
  • CVE-2005-2090
Published
2022-05-01T02:04:54Z
Modified
2023-11-08T03:56:45.810311Z
Summary
Tomcat Vulnerable to Web Cache Poisoning
Details

Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Last affected
5.0.19

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Last affected
4.1.24