Skip to:

Skip to Jira Navigation
Skip to Side Navigation
Skip to Main Content

CVE-2023-46589. tomcat-embed-core - Analysis of vulnerability

Description

Severity: High
Modules impacted:

mod-password-validator Volaris
mod-tags Volaris
mod-calendar Bama
mod-notes Spitfire
mod-entities-links Spitfire
mod-search Spitfire
mod-remote-storage Volaris
edge-caiasoft Volaris -
mod-data-export-spring Firebird
mod-ebsconet Thunderjet
mod-data-export-worker Firebird
mod-bulk-operations Firebird
mod-fqm-manager Corsair
edge-fqm Corsair –
mod-lists Corsair
edge-courses TBD –

Link: https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr - https://nvd.nist.gov/vuln/detail/CVE-2023-46589
Vulnerability: HTTP trailer headers causing HTTP request smuggling
Package Name: tomcat-embed-core
Fixed in 10.1.16, 9.0.83, 8.5.96

Linked issues

is defined by

aws-java-sdk 1.12.638, folio-spring-base 7.2.2, spring-boot-starter-web 3.1.8

Spring Boot 3.1.6 fixing Denial of Service

Spring Boot 3.1.8, Kafka 3.6.1, folio-spring-base 7.2.2

Update Spring version for Quesnelia

Upgrade deps for Quesnelia: Spring Boot 3.2.3, edge-common-spring 2.4.1, openapi 7.3.0, …

Checklist

hide

TestRail: Results

Activity

Show:

Julian LadischMarch 21, 2024 at 8:17 PM

All edge modules have been fixed for Quesnelia.

We can close this ticket as “Approved”.

Julian LadischFebruary 1, 2024 at 7:45 PM

The mod-* modules are behind Okapi and therefore cannot reached by an outside attacker.

Okapi uses Vert.x/Netty, not tomcat, and therefore is not vulnerable.

Done

Details
Assignee
Unassigned
Reporter
Denis
Priority
P2
RCA Group
TBD
Labels
securitysecurity-reviewed
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created January 22, 2024 at 11:22 AM

Updated May 23, 2024 at 3:40 PM

Resolved April 4, 2024 at 3:12 PM

TestRail: Cases

TestRail: Runs