You are here
Tomcat Request Smuggling
Submitted on 6. March 2014 - 10:07 by erwin.
Last update on 10. March 2014 - 13:23.
Last update on 10. March 2014 - 13:23.
IDs:
CVE-2013-4286
Keywords:
Tomcat, Request Smuggling
Description:
The following Apache software components are affected by a request smuggling vulnerability (CVE-2013-4286) with medium severity.
- Apache Tomcat 8.0.0-RC1 to 8.0.0-RC10
- Apache Tomcat 7.0.0 to 7.0.50
- Apache Tomcat 6.0.0 to 6.0.37
By sending multiple Content-Length headers or a combination of Content-Length headers and Transfer-Encoding: chunked, Apache Tomcat will misinterprete the content.
Since Airlock terminates the incoming http protocoll and rebuilds a clean http request to the back-end, Airlock protects against this vulnerability.
Resolution:
Airlock protects vulnerable back-ends. No action required.
Component:
Airlock
Airlock Vulnerability Status:
No action required
Back-end Vulnerability Status:
Does not affect back-end behind Airlock