[FALSE-POSITIVE] CVE-2023-45648

[cepakj]

Template IDs or paths

**Template affected:**  
`http/cves/2023/CVE-2023-45648.yaml`
 
The passive version detection regex in the template incorrectly flags Apache Tomcat versions **10.1.14 and higher** (including the current latest 10.1.52) as vulnerable to **CVE-2023-45648**.

Environment

- OS: 
- Nuclei: 
- Go:

Steps To Reproduce

Run nuclei against any server running Tomcat 10.1.14 – 10.1.52 (e.g. visible in default 404 page: Apache Tomcat/10.1.52 (Debian)).

Relevant dumped responses

Anything else?

No response

[Kylianghd]

Confirmed the false-positive. Root cause is a partial regex match in the passive version detection: Apache Tomcat/10.1.52 could match the prefix Apache Tomcat/10.1.5 because the pattern wasn’t bounded.

I opened PR #15459 to fix this by adding an end boundary (?:[^0-9]|$) (and tightening the contains check to Apache Tomcat/).

Validation :

Tomcat 10.1.13 → match (expected / vulnerable range)

Tomcat 10.1.52 → no match (expected / patched)

This should prevent FPs on 10.1.14+ and other higher versions

[M507]

I confirm the false-positive. It flags Apache Tomcat/9.0.113

PoC:

curl -X 'GET' -d '' -H 'Accept: */*' -H 'Accept-Language: en' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0' 'https://domain.com/3AoTW5nMklxbaOQwbHBnpYQKnyv' -k
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;3AoTW5nMklxbaOQwbHBnpYQKnyv] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.113</h3></body></html>