Date: Mon, 22 May 2023 11:10:05 +0100 From: Mark Thomas <markt@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.0-M4 Apache Tomcat 10.1.5 to 10.1.7 Apache Tomcat 9.0.71 to 9.0.73 Apache Tomcat 8.5.85 to 8.5.87 Description: The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M5 or later - Upgrade to Apache Tomcat 10.1.8 or later - Upgrade to Apache Tomcat 9.0.74 or later - Upgrade to Apache Tomcat 8.5.88 or later Credit: This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang from the Huawei Nebula Security Lab History: 2023-05-22 Original advisory References:  https://tomcat.apache.org/security-11.html  https://tomcat.apache.org/security-10.html  https://tomcat.apache.org/security-9.html  https://tomcat.apache.org/security-8.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.