Red Hat Bugzilla – Bug 237079
CVE-2005-2090 tomcat multiple content-length header poisioning
Last modified: 2013-05-08 14:26:06 EDT
Fixed in Apache Tomcat 5.5.23
Information disclosure CVE-2005-2090
Requests with multiple content-length headers should be rejected as invalid.
When multiple components (firewalls, caches, proxies and Tomcat) process a
sequence of requests where one or more requests contain multiple content-length
headers and several components do not reject the request and make different
decisions as to which content-length leader to use an attacker can poision a
web-cache, perform an XSS attack and obtain senstive information from requests
other then their own. Tomcat now returns 400 for requests with multiple
Affects: 5.0.0-5.0.HEAD, 5.5.0-5.5.22
Created attachment 152992 [details]
the proposed patch
advisory text: "Tomcat was found to accept multiple content-length headers in a
request. This could allow attackers to poison a web-cache, bypass web
application firewall protection, or conduct cross-site scripting attacks.
important: Directory traversal CVE-2007-0450
That is a complex attack.
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Please see https://access.redhat.com/security/cve/CVE-2005-2090 for a list of other products that contain this fix.