CVE-2023-28709

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-28709
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28709.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-28709
Aliases
Downstream
Related
Published
2023-05-22T10:08:49.541Z
Modified
2026-05-01T04:19:29.556656Z
Summary
Apache Tomcat: Fix for CVE-2023-24998 is incomplete
Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Database specific 
{
    "cwe_ids": [
        "CWE-193"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28709.json",
    "cna_assigner": "apache",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "11.0.0-M2"
                },
                {
                    "last_affected": "11.0.0-M4"
                },
                {
                    "introduced": "10.1.5"
                },
                {
                    "last_affected": "10.1.7"
                },
                {
                    "introduced": "9.0.71"
                },
                {
                    "last_affected": "9.0.73"
                },
                {
                    "introduced": "8.5.85"
                },
                {
                    "last_affected": "8.5.87"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Introduced
7b1f4ce0b82641bf76a3d763bd97d5522513b57b
Last affected
9179f3c22aead8702936eace5c46e8860b644b3c
Introduced
83ff421c4725bccfd7bec1a16b8ca3cb61bedd2a
Last affected
5452041bb674b46ea1390ee86b8f846728ec1236
Introduced
f6eebe2ef959503150432dc2700181bd29a5ebc9
Last affected
473ef42c637c97eb17b38c5580a6b854dfe27a02
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4b03c23ad60e678c1d1a85df815fb6cd8d14ca67
Last affected
8afe2647d7801172cc304f4a47d8aad9646d2985
Last affected
3b6de549bdf4f6486c39daa0ae8e4d4b7475b1f6
Database specific 
{
    "cpe": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "8.5.85"
        },
        {
            "last_affected": "8.5.87"
        },
        {
            "introduced": "9.0.71"
        },
        {
            "last_affected": "9.0.73"
        },
        {
            "introduced": "10.1.5"
        },
        {
            "last_affected": "10.1.7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "11.0.0-milestone2"
        },
        {
            "last_affected": "11.0.0-milestone3"
        },
        {
            "last_affected": "11.0.0-milestone4"
        }
    ],
    "source": "CPE_FIELD"
}

Affected versions

10.*
10.1.7
11.*
11.0.0-M2
11.0.0-M3
11.0.0-M4
8.*
8.5.87
9.*
9.0.73

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28709.json"