Apache Tomcat 组件存在HTTP请求走私漏洞(CVE-2022-42252)。在关闭rejectIllegalHeader的条件下,攻击者可利用该漏洞构造恶意HTTP Header 在未授权的情况执行钓鱼攻击。
一、漏洞影响范围
二、SpringBoot内置tomcat升级
1、排除jar
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
2、引入jar
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>9.0.69</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>9.0.69</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>9.0.69</version>
</dependency>
三、可以利用IDEA快速查看POM文件依赖