{"id":26771,"date":"2024-01-21T12:32:46","date_gmt":"2024-01-21T19:32:46","guid":{"rendered":"https:\/\/sn1persecurity.com\/wordpress\/?p=26771"},"modified":"2024-02-05T09:32:56","modified_gmt":"2024-02-05T16:32:56","slug":"cve-2024-21733-apache-tomcat-http-request-smuggling","status":"publish","type":"post","link":"https:\/\/sn1persecurity.com\/wordpress\/cve-2024-21733-apache-tomcat-http-request-smuggling\/","title":{"rendered":"CVE-2024-21733 Apache Tomcat HTTP Request Smuggling"},"content":{"rendered":"

Our security research team recently discovered a critical “0day” vulnerability which was assigned CVE-2024-21733<\/a>. The vulnerability was discovered by xer0dayz<\/a> from Sn1perSecurity<\/a> LLC and allows attackers to force a victim’s browser to de-synchronize its connection with websites hosted on top of Apache Tomcat, causing sensitive data to be smuggled from the server and\/or client connections. In some cases, this can leak sensitive data such as clear-text credentials.<\/p>\n

Severity: CRITICAL<\/span> | Exploit Available: Yes<\/span> | Exploitability: Easy<\/span> | Remotely Exploitable: Yes<\/span><\/strong><\/p>\n

<\/p>\n

Description<\/h3>\n

Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable to client-side de-sync attacks. For more info regarding Client-Side De-Sync attacks, please refer to James Kettle’s research here: Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling<\/a><\/p>\n

Impact<\/h3>\n

Vulnerabilities related to client-side de-synchronization (CSD) arise when a web server fails to accurately process the Content-Length of POST requests. Exploiting this issue enables an attacker to manipulate a victim’s browser, leading to a disconnection misalignment with the website. This manipulation can result in the unauthorized extraction of sensitive data from both server and client connections.<\/p>\n

The severity of the impact varies based on the applications utilizing Tomcat as the backend web server, potentially exposing confidential information such as clear-text credentials. For instance, our team identified an instance in ManageEngine’s ADSelfService Plus<\/a> portal prior to version 6304<\/span><\/strong>, where clear-text Active Directory credentials could be surreptitiously obtained from client connections as seen below.<\/p>\n

For a full list of affected ManageEngine products and versions, please see https:\/\/www.manageengine.com\/security\/advisory\/tomcat\/Advisory-CVE-2024-21733.html<\/a> for more details. Given the severity of this vulnerability, ManageEngine customers are strongly advised to upgrade to the latest build of the affected products immediately.<\/p>\n

PoC \/ Exploit<\/h3>\n

\"\"<\/a><\/p>\n

Affected Software<\/h3>\n

Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable.<\/p>\n

Product Description<\/h3>\n

The Apache Tomcat\u00ae<\/sup> software is an open source implementation of the Jakarta Servlet<\/a>, Jakarta Server Pages<\/a>, Jakarta Expression Language<\/a>, Jakarta WebSocket<\/a>, Jakarta Annotations<\/a> and Jakarta Authentication<\/a> specifications.<\/p>\n

Solution<\/h3>\n

Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.<\/p>\n

Detection<\/h3>\n

A template to detect this vulnerability will be made available exclusively to Sn1per Professional<\/a> and Sn1per Enterprise<\/a> customers within 30 days of the patch being released.<\/p>\n

References<\/h3>\n

https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-21733<\/a>
\nhttps:\/\/tomcat.apache.org\/security-9.html<\/a>
\nhttps:\/\/tomcat.apache.org\/security-8.html<\/a>
\nhttps:\/\/portswigger.net\/research\/browser-powered-desync-attacks<\/a><\/p>\n

Credit<\/h3>\n

xer0dayz<\/a> from Sn1perSecurity<\/a> LLC<\/p>\n

 <\/p>\n

\r\n\r\n<\/span>\r\nFacebook<\/span>\r\n\r\n9<\/span>\r\n\r\n<\/a>\r\n\r\n\r\n\r\n<\/span>\r\nTwitter<\/span>\r\n\r\n2<\/span>\r\n\r\n<\/a>\r\n\r\n\r\n\r\n<\/span>\r\nReddit<\/span>\r\n\r\n1<\/span>\r\n\r\n<\/a>\r\n\r\n\r\n\r\n<\/span>\r\nLinkedin<\/span>\r\n\r\n1<\/span>\r\n\r\n<\/a>\r\n\r\n<\/i><\/span><\/a>
X<\/span>\r\n\r\n<\/span>\r\nEmail<\/span>\r\n3<\/span>\t\t\t\t\r\n\r\n<\/a>\r\n<\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"

Our security research team recently discovered a critical “0day” vulnerability which was assigned CVE-2024-21733. The vulnerability was discovered by xer0dayz from Sn1perSecurity LLC […]<\/p>\n","protected":false},"author":1,"featured_media":26793,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[290,80,99,184,289,338],"tags":[137,106,352,318,52,38,42,37,108,36],"class_list":["post-26771","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-attack-surface-management","category-bug-bounties","category-cves","category-news","category-penetration-testing","category-threat-intelligence","tag-0day","tag-cve","tag-cve-2024-21733","tag-detection","tag-exploit","tag-professional","tag-scanner","tag-sn1per","tag-vulnerability","tag-xer0dayz"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2024\/01\/CVE-2024-21733.png","jetpack_shortlink":"https:\/\/wp.me\/pdnW96-6XN","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":17958,"url":"https:\/\/sn1persecurity.com\/wordpress\/spring4shell-cve-2022-22965-detection-with-sn1per-professional\/","url_meta":{"origin":26771,"position":0},"title":"Spring4Shell (CVE-2022-22965) Detection with Sn1per Professional","author":"xer0dayz","date":"April 11, 2022","format":false,"excerpt":"On March 30, 2022, information regarding a critical 0-day vulnerability affecting the Spring Framework was disclosed and dubbed \"Spring4Shell\" CVE-2022-22965 which allows an un-authenticated attacker to execute arbitrary code on vulnerable servers. Given the impact and severity of the vulnerability, Sn1perSecurity has released an out-of-band update to help detect vulnerable\u2026","rel":"","context":"In "Attack Surface Management"","block_context":{"text":"Attack Surface Management","link":"https:\/\/sn1persecurity.com\/wordpress\/category\/attack-surface-management\/"},"img":{"alt_text":"Sn1per-Spring4Shell-Scanner1","src":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Spring4Shell-Scanner1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Spring4Shell-Scanner1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Spring4Shell-Scanner1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Spring4Shell-Scanner1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Spring4Shell-Scanner1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Spring4Shell-Scanner1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":18193,"url":"https:\/\/sn1persecurity.com\/wordpress\/big-ip-icontrol-rest-rce-cve-2022-1388-detection-with-sn1per-professional\/","url_meta":{"origin":26771,"position":1},"title":"BIG-IP iControl REST RCE (CVE-2022-1388) Detection with Sn1per Professional","author":"xer0dayz","date":"May 10, 2022","format":false,"excerpt":"A critical vulnerability affecting the F5 BIG-IP devices was disclosed and designated CVE-2022-1388 which allows an un-authenticated attacker to execute arbitrary code on vulnerable servers. A number of Proof-of-Concept (PoC) exploits were published online and exploit activity is actively being observed. Given the impact and severity of the vulnerability, Sn1perSecurity\u2026","rel":"","context":"In "Attack Surface Management"","block_context":{"text":"Attack Surface Management","link":"https:\/\/sn1persecurity.com\/wordpress\/category\/attack-surface-management\/"},"img":{"alt_text":"Sn1per-CVE-2022-1388-Scanner1","src":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/05\/Sn1per-CVE-2022-1388-Scanner1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/05\/Sn1per-CVE-2022-1388-Scanner1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/05\/Sn1per-CVE-2022-1388-Scanner1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/05\/Sn1per-CVE-2022-1388-Scanner1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/05\/Sn1per-CVE-2022-1388-Scanner1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/05\/Sn1per-CVE-2022-1388-Scanner1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":17988,"url":"https:\/\/sn1persecurity.com\/wordpress\/vmware-workspace-one-access-freemarker-ssti-cve-2022-22954-detection-with-sn1per-professional\/","url_meta":{"origin":26771,"position":2},"title":"VMware Workspace ONE Access freemarker SSTI (CVE-2022-22954) Detection with Sn1per Professional","author":"xer0dayz","date":"April 14, 2022","format":false,"excerpt":"Information regarding a critical 0-day vulnerability affecting the VMware Workspace ONE Access and Identity Manager was disclosed and designated CVE-2022-22954 which allows an un-authenticated attacker to execute arbitrary code on vulnerable servers. On April 14th, CISA & US-Cert added CVE-2022-22954 to their catalog of known exploited vulnerabilities after a number\u2026","rel":"","context":"In "Attack Surface Management"","block_context":{"text":"Attack Surface Management","link":"https:\/\/sn1persecurity.com\/wordpress\/category\/attack-surface-management\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-cve-2022-22954-detection1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-cve-2022-22954-detection1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-cve-2022-22954-detection1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-cve-2022-22954-detection1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-cve-2022-22954-detection1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-cve-2022-22954-detection1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":18544,"url":"https:\/\/sn1persecurity.com\/wordpress\/confluence-rce-ognl-template-injection-cve-2022-26134\/","url_meta":{"origin":26771,"position":3},"title":"Confluence RCE via OGNL template injection (CVE-2022-26134)","author":"xer0dayz","date":"June 5, 2022","format":false,"excerpt":"A critical vulnerability affecting the Atlassian Confluence was disclosed and designated CVE-2022-26134 which allows an un-authenticated attacker to execute arbitrary code on vulnerable servers. A number of Proof-of-Concept (PoC) exploits were published online and exploit activity is actively being observed. Given the impact and severity of the vulnerability, Sn1perSecurity has\u2026","rel":"","context":"In "Attack Surface Management"","block_context":{"text":"Attack Surface Management","link":"https:\/\/sn1persecurity.com\/wordpress\/category\/attack-surface-management\/"},"img":{"alt_text":"Sn1per-CVE-2022-26134-detection1","src":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/06\/Sn1per-CVE-2022-26134-detection1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/06\/Sn1per-CVE-2022-26134-detection1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/06\/Sn1per-CVE-2022-26134-detection1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/06\/Sn1per-CVE-2022-26134-detection1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/06\/Sn1per-CVE-2022-26134-detection1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/06\/Sn1per-CVE-2022-26134-detection1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":18011,"url":"https:\/\/sn1persecurity.com\/wordpress\/sn1per-professional-v10-1-se-update-released\/","url_meta":{"origin":26771,"position":4},"title":"Sn1per Professional v10.1 SE Update Released!","author":"xer0dayz","date":"April 19, 2022","format":false,"excerpt":"Sn1per Professional v10.1 Scan Engine (SE) update is now available for Sn1per Professional v10.0 customers with a ton of new features and improvements. This update is part of the Sn1per Professional SE development branch which is exclusively available only to Sn1per Professional v10.0 customers. If you are a previous customer\u2026","rel":"","context":"In "News"","block_context":{"text":"News","link":"https:\/\/sn1persecurity.com\/wordpress\/category\/news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Professional-v10.1-Update.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Professional-v10.1-Update.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Professional-v10.1-Update.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Professional-v10.1-Update.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Professional-v10.1-Update.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2022\/04\/Sn1per-Professional-v10.1-Update.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":14967,"url":"https:\/\/sn1persecurity.com\/wordpress\/continuous-attack-surface-management-with-sn1per-professional\/","url_meta":{"origin":26771,"position":5},"title":"Attack Surface Management With Sn1per Professional","author":"xer0dayz","date":"February 8, 2021","format":false,"excerpt":"External Attack Surface Management (EASM) has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the\u2026","rel":"","context":"In "Attack Surface Management"","block_context":{"text":"Attack Surface Management","link":"https:\/\/sn1persecurity.com\/wordpress\/category\/attack-surface-management\/"},"img":{"alt_text":"Sn1per Professional Continuous Attack Surface Testing","src":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2021\/02\/Sn1per-Professional-Continuous-Attack-Surface-Testing.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2021\/02\/Sn1per-Professional-Continuous-Attack-Surface-Testing.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2021\/02\/Sn1per-Professional-Continuous-Attack-Surface-Testing.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2021\/02\/Sn1per-Professional-Continuous-Attack-Surface-Testing.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2021\/02\/Sn1per-Professional-Continuous-Attack-Surface-Testing.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/sn1persecurity.com\/wordpress\/wp-content\/uploads\/2021\/02\/Sn1per-Professional-Continuous-Attack-Surface-Testing.png?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/posts\/26771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/comments?post=26771"}],"version-history":[{"count":15,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/posts\/26771\/revisions"}],"predecessor-version":[{"id":26836,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/posts\/26771\/revisions\/26836"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/media\/26793"}],"wp:attachment":[{"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/media?parent=26771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/categories?post=26771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sn1persecurity.com\/wordpress\/wp-json\/wp\/v2\/tags?post=26771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}