CVE-2023-46589: 
Java vulnerability analysis and mitigation

Apache Tomcat versions from 11.0.0-M1 through 11.0.0-M10, 10.1.0-M1 through 10.1.15, 9.0.0-M1 through 9.0.82, and 8.5.0 through 8.5.95 were affected by an Improper Input Validation vulnerability (CVE-2023-46589). The vulnerability was discovered by Norihito Aimoto from OSSTech Corporation and was publicly disclosed on November 28, 2023. The issue affects the HTTP trailer header parsing functionality in Apache Tomcat (Apache Advisory, NVD).

The vulnerability stems from incorrect parsing of HTTP trailer headers in Apache Tomcat. When a trailer header exceeds the header size limit, it could cause Tomcat to incorrectly interpret a single request as multiple requests. This vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) and has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The successful exploitation of this vulnerability could lead to HTTP request smuggling when Tomcat is deployed behind a reverse proxy. This could potentially result in the addition or modification of data, affecting the integrity of the system (NetApp Advisory).

Users are recommended to upgrade to the fixed versions: Apache Tomcat 11.0.0-M11 or later, 10.1.16 or later, 9.0.83 or later, or 8.5.96 or later. These versions contain the necessary fixes to address the vulnerability (Apache Advisory).