CVE-2022-42252 - Request Smuggling

Severity: None2022-11-18

Security Advisories


If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

The Oxygen products incorporate Apache Tomcat as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v2.1.3 and olderNone Oxygen Feedback 2.1.4 build 2022111716
Oxygen XML Web Author v25.0.0 and olderNone Oxygen XML Web Author build 2023020615
Oxygen Content Fusion v5.0.1 and olderNone Oxygen Content Fusion 5.0.2 build 2022121305





Severity: High

CVSS Score: 7.5

The Apache Tomcat third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42252 vulnerability description. However, the Oxygen products doesn't set rejectIllegalHeader to false. For that reason Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen Feedback v2.1.4 build 2022111716 Apache Tomcat library was updated to v9.0.68 which fixes this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.2 build 2023020615 Apache Tomcat library was updated to v9.0.69 which fixes this vulnerability.

List of Security Advisories