Apache Tomcat: Fix for CVE-2023-24998 is incomplete
CVE-2023-28709

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 22 May 2023

What is CVE-2023-28709?

The vulnerability arises due to an incomplete fix for a prior issue in Apache Tomcat, affecting certain versions where custom HTTP connector settings have been configured. This flaw allows attackers to exploit bypass mechanisms for the maximum number of request parameters, permitting them to circumvent the restrictions imposed on uploaded request parts. An attacker could utilize this behavior to potentially launch a denial of service attack by submitting crafted requests that exploit the parameter limits, leading to service disruption.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Tomcat 11.0.0-M2 <= 11.0.0-M4

Apache Tomcat 10.1.5 <= 10.1.7

Apache Tomcat 9.0.71 <= 9.0.73

References

https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/05/22/1

https://security.gentoo.org/glsa/202305-37

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 22, 2023
Vulnerability Reserved
Mar 21, 2023

Credit

Chenwei Jiang, Chenfeng Nie and Yue Yang from the Huawei Nebula Security Lab

JSON

Apache

What is CVE-2023-28709?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.