CVE-2022-42252
Request Smuggling vulnerability in tomcat-embed-core (Maven)
What is CVE-2022-42252 About?
This vulnerability in Apache Tomcat (versions 8.5.0-8.5.82, 9.0.0-M1-9.0.67, 10.0.0-M1-10.0.26, 10.1.0-M1-10.1.0) enables request smuggling. It occurs when Tomcat is configured to ignore invalid HTTP headers (`rejectIllegalHeader=false`) and is deployed behind a reverse proxy that also fails to reject invalid headers. Exploiting this can lead to severe security bypasses by manipulating HTTP requests.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >10.0.0-M1, <10.0.27
- >9.0.0-M1, <9.0.68
- >8.5.0, <8.5.83
- >10.1.0-M1, <10.1.1
- org.apache.tomcat:tomcat-coyote
- >10.0.0-M1, <10.0.27
- >9.0.0-M1, <9.0.68
- >10.1.0-M1, <10.1.1
Technical Details
The vulnerability is a classic HTTP request smuggling flaw that occurs when Apache Tomcat is configured with rejectIllegalHeader set to false (which is the default for 8.5.x versions). In this scenario, Tomcat does not properly reject HTTP requests containing malformed or invalid Content-Length headers. This becomes exploitable when Tomcat is situated behind a reverse proxy that also fails to reject such requests. An attacker can send a specially crafted HTTP request that is interpreted differently by the front-end reverse proxy and the back-end Tomcat server. This discrepancy in interpretation allows an attacker to 'smuggle' a second, illicit request within the same HTTP connection, which bypasses security controls imposed by the reverse proxy and is then processed by Tomcat. The attack vector is a malformed HTTP request header, specifically Content-Length.
What is the Impact of CVE-2022-42252?
Successful exploitation may allow attackers to bypass security mechanisms, access internal resources, poison web caches, or perform unauthorized actions, potentially leading to data breaches or further system compromise.
What is the Exploitability of CVE-2022-42252?
Exploitation of this vulnerability is complex, as it relies on a specific set of environmental conditions. The primary prerequisite is that Tomcat must be configured with rejectIllegalHeader set to false (the default for some versions), and critically, it must be deployed behind a reverse proxy that also tolerates invalid HTTP headers. An attacker needs to understand how both the proxy and Tomcat parse HTTP requests to create a differential parsing effect. There are no explicit authentication or privilege requirements to initiate the request smuggling; it's a network-level attack on the HTTP protocol. This is a remote vulnerability. The special conditions are the specific Tomcat configuration and the presence of a similarly permissive reverse proxy. Risk factors are significantly increased in complex deployments with multiple layers of HTTP processing, where misconfigurations or differing parsing behaviors are more likely to occur.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-42252?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.83 → Upgrade to 8.5.83
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0-M1, <9.0.68 → Upgrade to 9.0.68
- org.apache.tomcat.embed:tomcat-embed-core
- >10.0.0-M1, <10.0.27 → Upgrade to 10.0.27
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.1 → Upgrade to 10.1.1
- org.apache.tomcat:tomcat-coyote
- >9.0.0-M1, <9.0.68 → Upgrade to 9.0.68
- org.apache.tomcat:tomcat-coyote
- >10.0.0-M1, <10.0.27 → Upgrade to 10.0.27
- org.apache.tomcat:tomcat-coyote
- >10.1.0-M1, <10.1.1 → Upgrade to 10.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
- https://nvd.nist.gov/vuln/detail/CVE-2022-42252
- https://tomcat.apache.org/security-9.html
- https://security.gentoo.org/glsa/202305-37
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-8.html
- https://github.com/apache/tomcat/commit/a1c07906d8dcaf7957e5cc97f5cdbac7d18a205a
- https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
- https://github.com/apache/tomcat/commit/c9fe754e5d17e262dfbd3eab2a03ca96ff372dc3
- https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77
What are Similar Vulnerabilities to CVE-2022-42252?
Similar Vulnerabilities: CVE-2023-4586 , CVE-2023-29402 , CVE-2023-38035 , CVE-2023-46726 , CVE-2023-44878
