{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T18:46:09.168","vulnerabilities":[{"cve":{"id":"CVE-2022-42252","sourceIdentifier":"security@apache.org","published":"2022-11-01T09:15:10.817","lastModified":"2025-05-06T16:15:26.137","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header."},{"lang":"es","value":"Si Apache Tomcat 8.5.0 a 8.5.82, 9.0.0-M1 a 9.0.67, 10.0.0-M1 a 10.0.26 o 10.1.0-M1 a 10.1.0 se configuró para ignorar encabezados HTTP no válidos mediante la configuración de rechazarIllegalHeader a falso (el valor predeterminado solo para 8.5.x), Tomcat no rechazó una solicitud que contenía un encabezado Content-Length no válido, lo que hace posible un ataque de contrabando de solicitudes si Tomcat estaba ubicado detrás de un proxy inverso que tampoco rechazó la solicitud con el encabezado no válido."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]},{"source":"nvd@nist.gov","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-444"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"8.5.0","versionEndExcluding":"8.5.83","matchCriteriaId":"3E039E8B-0529-4FD1-8111-7DA0A1C9AD6A"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.68","matchCriteriaId":"EF4E5330-DCA5-44CA-8976-4A30144C99DD"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0.0","versionEndExcluding":"10.0.27","matchCriteriaId":"B30CA0D9-834D-4044-B03B-7E6E60A4B0E6"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"10.1.0","versionEndExcluding":"10.1.1","matchCriteriaId":"4718424B-1ACF-426E-869B-C63A6B925192"}]}]}],"references":[{"url":"https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://security.gentoo.org/glsa/202305-37","source":"security@apache.org"},{"url":"https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]},{"url":"https://security.gentoo.org/glsa/202305-37","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}