If Apache Tomcat 8.5.0 through 8.5.82, 9.0.0-M1 through 9.0.67, 10.0.0-M1 through 10.0.26 and 10.1.0-M1 through 10.1.0 was configured to ignore invalid HTTP headers via setting "rejectIllegalHeader" to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
HIGH Vulnerable Package issue exists @ org.apache.tomcat:tomcat-coyote in branch master
Description
If Apache Tomcat 8.5.0 through 8.5.82, 9.0.0-M1 through 9.0.67, 10.0.0-M1 through 10.0.26 and 10.1.0-M1 through 10.1.0 was configured to ignore invalid HTTP headers via setting "rejectIllegalHeader" to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
HIGH Vulnerable Package issue exists @ org.apache.tomcat:tomcat-coyote in branch master
Vulnerability ID: CVE-2022-42252
Package Name: org.apache.tomcat:tomcat-coyote
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2022-11-01T09:15:00
Current Package Version: 9.0.22
Remediation Upgrade Recommendation: 9.0.68
Link To SCA
Reference – NVD link