What is CVE-2023-46589?

CVE-2023-46589 is a vulnerability in Apache Software Foundation Tomcat, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2023-11-28.

Is CVE-2023-46589 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Tomcat

CVE-2023-46589

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A t…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.537 (98.0th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions 11.0.0-M1, 10.1.0-M1, 9.0.0-M1

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Public proof-of-concept exploits

References

lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr (vendor-advisory)
www.openwall.com/lists/oss-security/2023/11/28/2

Frequently asked questions

What is CVE-2023-46589?: CVE-2023-46589 is a vulnerability in Apache Software Foundation Tomcat, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Published 2023-11-28.
Is CVE-2023-46589 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.