id: CVE-2023-45648

info:
  name: Apache Tomcat - HTTP Request Smuggling
  author: 0x_Akoko
  severity: medium
  description: |
    Apache Tomcat from versions 8.5.0 to 8.5.93, 9.0.0-M1 to 9.0.81, 10.1.0-M1 to 10.1.13, and 11.0.0-M1 to 11.0.0-M11 contain an improper input validation caused by incorrect parsing of HTTP trailer headers, letting attackers craft headers to cause request smuggling, exploit requires sending malicious trailer headers.
  impact: |
    Attackers can perform request smuggling, potentially leading to cache poisoning, session hijacking, or bypassing security controls.
  remediation: |
    Upgrade to version 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 or later.
  reference:
    - https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
    - https://hackerone.com/reports/2299692
    - https://nvd.nist.gov/vuln/detail/CVE-2023-45648
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-45648
    cwe-id: CWE-444
    epss-score: 0.62079
    epss-percentile: 0.98369
  metadata:
    verified: false
    max-request: 1
    vendor: apache
    product: tomcat
    shodan-query: title:"Apache Tomcat"
    fofa-query: app="APACHE-Tomcat"
  tags: cve,cve2023,apache,tomcat,http-smuggling,passive

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{randstr}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 404'
          - 'contains(body, "Apache Tomcat/")'
          - 'regex("Apache Tomcat/(8\.5\.(0|[1-9]|[1-8][0-9]|9[0-3])|9\.0\.(0(-M\d+)?|[1-9]|[1-7][0-9]|80)|10\.1\.(0(-M\d+)?|[1-9]|1[0-3])|11\.0\.0-M([1-9]|1[01]))(?:[^0-9]|$)", body)'
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'Apache Tomcat/([0-9.]+(-M[0-9]+)?)'
# digest: 4b0a00483046022100857ee025f088077e9778a65fe0f3fe1fcf5a343b589b852cbccf99600881ed670221009b48974485e9122e5e353a2b6e681def365e7798087b02ec91f068beb4ff239f:922c64590222798bb761d5b6d8e72950