Apache Tomcat Vulnerability: Generation of Error Message Containing Sensitive Information
CVE-2024-21733

5.3MEDIUM

Key Information:

Vendor
Apache
Status
Apache Tomcat
Vendor
CVE Published:
19 January 2024

Badges

📈 Trended📈 Score: 5,570👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2024-21733?

CVE-2024-21733 is a vulnerability identified in Apache Tomcat, which is a widely used open-source implementation of the Java Servlet, JavaServer Pages, and Java Expression Language technologies. This vulnerability pertains to the generation of error messages that may inadvertently include sensitive information. Such exposure could lead to significant security risks for organizations utilizing Apache Tomcat, as unauthorized parties could gain insights into the internal workings and configurations of applications, potentially enabling further attacks.

Technical Details

The vulnerability affects specific versions of Apache Tomcat, including those from 8.5.7 to 8.5.63 and 9.0.0-M11 to 9.0.43. The flaw lies in how the server generates error messages when certain exceptions are encountered. By leveraging this weakness, attackers can extract sensitive information that may assist them in crafting more sophisticated attacks against the affected systems. The recommended remedial action is to upgrade to versions 8.5.64 and onwards or 9.0.44 and onwards, where this security issue has been addressed.

Impact of the Vulnerability

  1. Information Disclosure: The primary impact of CVE-2024-21733 is unauthorized access to sensitive application information, which could disclose valuable data such as system configurations, API keys, or database connection details.

  2. Increased Attack Surface: By revealing internal configurations, the vulnerability potentially increases the attack surface, making it easier for threat actors to execute targeted attacks or exfiltrate data.

  3. Reputation Damage and Compliance Issues: Organizations affected by data exposure due to this vulnerability could face reputational harm if leaked information leads to data breaches. Furthermore, the compromise of sensitive information may result in violations of data protection regulations, leading to legal consequences and financial penalties.

Affected Version(s)

Apache Tomcat 8.5.7 <= 8.5.63

Apache Tomcat 9.0.0-M11 <= 9.0.43

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-21733
Created by LtmThink

News Articles

favicon imageTomitribe

CVE-2024-21733 - Tomitribe

Severity3.1 Description Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11...

6 months ago

favicon imageSn1perSecurity

CVE-2024-21733 Apache Tomcat HTTP Request Smuggling

CVE-2024-21733 - Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable to client-side de-sync attacks.

1 year ago

References

https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc...
vendor-advisory
http://www.openwall.com/lists/oss-security/2024/01/19/2
http://packetstormsecurity.com/files/176951/Apache-Tomcat...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by securityonline.info

  • Vulnerability published

  • Vulnerability Reserved

Credit

xer0dayz from company Sn1perSecurity LLC
.