CVE-2022-42252

unknown

Published 2022-11-01 · Modified 2024-04-23

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2

—

VIR risk

—

Description

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2022-42252

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2022-42252.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	fixed	`9.0.68-1`
debian	bullseye	fixed	`9.0.43-2~deb11u6`
debian	forky	fixed	`9.0.68-1`
debian	sid	fixed	`9.0.68-1`
debian	trixie	fixed	`9.0.68-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.tomcat.embed:tomcat-embed-core	`>=8.5.0,<8.5.83`	`8.5.83`
Maven	org.apache.tomcat.embed:tomcat-embed-core	`>=9.0.0-M1,<9.0.68`	`9.0.68`
Maven	org.apache.tomcat.embed:tomcat-embed-core	`>=10.0.0-M1,<10.0.27`	`10.0.27`
Maven	org.apache.tomcat.embed:tomcat-embed-core	`>=10.1.0-M1,<10.1.1`	`10.1.1`
Maven	org.apache.tomcat:tomcat-coyote	`>=9.0.0-M1,<9.0.68`	`9.0.68`
Maven	org.apache.tomcat:tomcat-coyote	`>=10.0.0-M1,<10.0.27`	`10.0.27`
Maven	org.apache.tomcat:tomcat-coyote	`>=10.1.0-M1,<10.1.1`	`10.1.1`

References

Verify integrity in audit chain (admin only). AS-IS.