CVE-2022-42252

Description

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

How to fix CVE-2022-42252

To remediate CVE-2022-42252, upgrade the affected package to a fixed version below.

• —upgrade to 8.5.83 or later
• —upgrade to 9.0.43-2~deb11u6 or later
• —upgrade to 9.0.31-1~deb10u8 or later
• —upgrade to 9.0.43-2~deb11u6 or later
• —upgrade to 8.5.83 or later
• —upgrade to 9.0.68 or later

Is CVE-2022-42252 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 8.5.0, < 8.5.83, >= 9.0.0, < 9.0.68, >= 10.0.0, < 10.0.27, >= 10.1.0, < 10.1.1
• from 0, < 9.0.43-2~deb11u6
• from 0, < 9.0.31-1~deb10u8
• from 0, < 9.0.43-2~deb11u6
• >= 8.5.0, < 8.5.83
• >= 9.0.0-M1, < 9.0.68

CVSS scores

References (12)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42252
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-42252
• PATCHgithub.com/apache/tomcat
• WEBgithub.com/apache/tomcat/commit/0d089a15047faf9cb3c82f80f4d28febd4798920