{"id":"CVE-2022-42252","details":"If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.","aliases":["BIT-tomcat-2022-42252","GHSA-p22x-g9px-3945"],"modified":"2026-03-27T08:59:33.275002Z","published":"2022-11-01T09:15:10.817Z","related":["MGASA-2023-0138","SUSE-SU-2022:4193-1","SUSE-SU-2022:4221-1","SUSE-SU-2022:4257-1","SUSE-SU-2022:4303-1","SUSE-SU-2026:1058-1","openSUSE-SU-2024:12534-1","openSUSE-SU-2024:13441-1"],"references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202305-37"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e37b977db6f47e4380ad67114a49e8568951c953"},{"fixed":"702df4f4db92b59e01d5d8824190ce2652d74a76"},{"introduced":"16bf392c67833ad549733b58c350ff92b5ee782a"},{"fixed":"0cbd87a47606a7669c784d28b5133358a4dcff41"},{"introduced":"4c8b650437e2464c1c31c6598a263b3805b7a81f"},{"fixed":"ca8720d41f3be917dc3fcdd03fcca8d3152a13fb"},{"introduced":"e9d17cddc285615807ec5fef09240777436b25dc"},{"fixed":"934df02dc68e72b95a38f372017f1b89b0d13a76"}],"database_specific":{"versions":[{"introduced":"8.5.0"},{"fixed":"8.5.83"},{"introduced":"9.0.0"},{"fixed":"9.0.68"},{"introduced":"10.0.0"},{"fixed":"10.0.27"},{"introduced":"10.1.0"},{"fixed":"10.1.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42252.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}