CVE-2022-42252 - Request Smuggling
Severity: None2022-11-18
Abstract
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Feedback v2.1.3 and older | None | Oxygen Feedback 2.1.4 build 2022111716 |
Oxygen XML Web Author v25.0.0 and older | None | Oxygen XML Web Author 25.0.0.2 build 2023020615 |
Oxygen Content Fusion v5.0.1 and older | None | Oxygen Content Fusion 5.0.2 build 2022121305 |
Detail
CVE-2022-42252
Severity: High
CVSS Score: 7.5
The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42252 vulnerability description. However, the Oxygen products doesn't set rejectIllegalHeader to false. For that reason Oxygen XML products are not affected by this vulnerability.
Starting with Oxygen Feedback v2.1.4 build 2022111716 Apache Tomcat library was updated to v9.0.68 which fixes this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.2 build 2023020615 Apache Tomcat library was updated to v9.0.69 which fixes this vulnerability.