Miggo Logo
Miggo Vulnerability Database
CVE-2013-4286

CVE-2013-4286:
Apache Tomcat is vulnerable to HTTP request-smuggling

5.8

CVSS Score

Basic Information

CVE ID
CVE-2013-4286
GHSA ID
GHSA-j448-j653-r3vj
EPSS Score
0.96486%
CWE
CWE-20
Published
5/14/2022
Updated
2/21/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven< 6.0.396.0.39
org.apache.tomcat:tomcatmaven>= 7.0.0, < 7.0.477.0.47
org.apache.tomcat:tomcatmaven>= 8.0.0-RC1, < 8.0.0-RC38.0.0-RC3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches for CVE-2013-4286 modify the prepareRequest() methods in AbstractAjpProcessor and AbstractHttp11Processor to correctly handle inconsistent HTTP request headers, specifically multiple Content-Length headers and the combination of Content-Length with Transfer-Encoding: chunked. These changes directly address the vulnerability, making these functions the primary points of interest for runtime detection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Tom**t ***or* *.*.**, *.x ***or* *.*.**, *n* *.x ***or* *.*.*-R**, w**n *n *TTP *onn**tor or *JP *onn**tor is us**, *o*s not prop*rly **n*l* **rt*in in*onsist*nt *TTP r*qu*st *****rs, w*i** *llows r*mot* *tt**k*rs to tri***r in*orr**t i**nti*i

Reasoning

T** p*t***s *or *V*-****-**** mo*i*y t** `pr*p*r*R*qu*st()` m*t*o*s in `**str**t*jpPro**ssor` *n* `**str**t*ttp**Pro**ssor` to *orr**tly **n*l* in*onsist*nt *TTP r*qu*st *****rs, sp**i*i**lly multipl* *ont*nt-L*n*t* *****rs *n* t** *om*in*tion o* *on