Apache Tomcat: Fix for CVE-2023-24998 is incomplete
CVE-2023-28709

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 22 May 2023

Summary

The vulnerability arises due to an incomplete fix for a prior issue in Apache Tomcat, affecting certain versions where custom HTTP connector settings have been configured. This flaw allows attackers to exploit bypass mechanisms for the maximum number of request parameters, permitting them to circumvent the restrictions imposed on uploaded request parts. An attacker could utilize this behavior to potentially launch a denial of service attack by submitting crafted requests that exploit the parameter limits, leading to service disruption.

Affected Version(s)

Apache Tomcat 11.0.0-M2 <= 11.0.0-M4

Apache Tomcat 10.1.5 <= 10.1.7

Apache Tomcat 9.0.71 <= 9.0.73

References

https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/05/22/1

https://security.gentoo.org/glsa/202305-37

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 22, 2023
Vulnerability Reserved
Mar 21, 2023

Credit

Chenwei Jiang, Chenfeng Nie and Yue Yang from the Huawei Nebula Security Lab