Description
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Remediation
References
Related Vulnerabilities
WordPress Plugin Premmerce Variation Swatches for WooCommerce Security Bypass (1.0)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4401)
WordPress Plugin Timber Cross-Site Scripting (1.2.2)
WordPress Plugin Simple Share Buttons Adder Cross-Site Scripting (5.6)
OpenSSL Inadequate Encryption Strength Vulnerability (CVE-2020-1968)