CVE-2023-46589 - Request Smuggling
Severity: High2024-03-08
Abstract
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
The Oxygen products incorporate Tomcat as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen XML Web Author v26.0.0 and older | High | Oxygen Web Author 26.0.0.1 build 2024022608 |
| Oxygen Feedback v4.0 and older | None | Oxygen Feedback 4.1 build 2024013118 |
Detail
CVE-2023-46589
Severity: High
CVSS Score: 7.5
The Apache Tomcat third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2023-46589 vulnerability description. However, Oxygen Feedback product's design incorporates security measures that mitigates the exploitation of this vulnerability. For that reason, Oxygen Feedback is not affected by this vulnerability.
Starting with Oxygen XML Web Author v26.0.0.1 build 2024022608 Apache Tomcat library was updated to a version which fixes this vulnerability.
Starting with Oxygen Feedback v4.1 build 2024013118 Apache Tomcat library was updated to a version which fixes this vulnerability.
