CVE-2023-45648: 
Java vulnerability analysis and mitigation

Apache Tomcat versions from 11.0.0-M1 through 11.0.0-M11, 10.1.0-M1 through 10.1.13, 9.0.0-M1 through 9.0.81, and 8.5.0 through 8.5.93 were affected by an Improper Input Validation vulnerability (CVE-2023-45648). The vulnerability was discovered in October 2023 and affects the HTTP trailer header parsing functionality in Apache Tomcat (Apache Advisory, NVD).

The vulnerability stems from incorrect parsing of HTTP trailer headers in Apache Tomcat. When a specially crafted, invalid trailer header is received, it could cause Tomcat to incorrectly interpret a single request as multiple requests. This vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The primary impact of this vulnerability is the possibility of request smuggling attacks when Tomcat is deployed behind a reverse proxy. This could potentially lead to the addition or modification of data through manipulated requests (NetApp Advisory, Debian Advisory).

Users are recommended to upgrade to the fixed versions: Apache Tomcat 11.0.0-M12 or later, 10.1.14 or later, 9.0.81 or later, or 8.5.94 or later. These versions contain the necessary fixes to address the vulnerability (Apache Advisory, NVD).