CVE-2023-28709

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28709

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28709.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-28709

Aliases

Related

Published

2023-05-22T11:15:09Z

Modified

2024-09-11T04:58:31.540216Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

References

Affected packages

Debian:12 / tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.6-1+deb12u1

Affected versions

10.*

10.1.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / tomcat10

Package

Name: tomcat10
Purl: pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.1.10-1

Affected versions

10.*

10.1.6-1

10.1.7-1

10.1.8-1

10.1.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/tomcat

Affected ranges

Type: GIT
Repo: https://github.com/apache/tomcat
Events: Last affected

3b6de549bdf4f6486c39daa0ae8e4d4b7475b1f6

Introduced

f6eebe2ef959503150432dc2700181bd29a5ebc9

Last affected

473ef42c637c97eb17b38c5580a6b854dfe27a02

Last affected

4b03c23ad60e678c1d1a85df815fb6cd8d14ca67

Introduced

83ff421c4725bccfd7bec1a16b8ca3cb61bedd2a

Last affected

5452041bb674b46ea1390ee86b8f846728ec1236

Last affected

8afe2647d7801172cc304f4a47d8aad9646d2985

Introduced

7b1f4ce0b82641bf76a3d763bd97d5522513b57b

Last affected

9179f3c22aead8702936eace5c46e8860b644b3c