Seal Security

CVE-2023-28709

Apache Tomcat - Fix for CVE-2023-24998 was incomplete

The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Versions

org.apache.tomcat.embed:tomcat-embed-core >= 11.0.0-M2 < 11.0.0-M5; org.apache.tomcat.embed:tomcat-embed-core >= 10.1.5 < 10.1.8; org.apache.tomcat.embed:tomcat-embed-core >= 9.0.71 < 9.0.74; org.apache.tomcat:tomcat-coyote >= 8.5.85 < 8.5.88

Severity

High

Ecosystem

Publish Date

July 6, 2023

Modified Date

April 24, 2024