High severityNVD Advisory· Published May 22, 2023· Updated Feb 13, 2025

Apache Tomcat: Fix for CVE-2023-24998 is incomplete

CVE-2023-28709

Description

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Incomplete fix for CVE-2023-24998 in Apache Tomcat allows bypass of uploaded request parts limit using carefully crafted query string parameters, leading to denial of service.

Vulnerability

CVE-2023-28709 is an incomplete fix for CVE-2023-24998 in Apache Tomcat affecting versions 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, and 8.5.85 to 8.5.87 [1][2][3][4]. When non-default HTTP connector settings are used such that maxParameterCount can be reached via query string parameters, a request supplying exactly maxParameterCount parameters in the query string can bypass the limit for uploaded request parts.

Exploitation

An attacker can exploit this by sending a specially crafted HTTP request with exactly maxParameterCount query string parameters. No authentication is required, but the connector must have non-default settings that allow reaching the limit through query strings. The attack does not require a privileged network position.

Impact

Successful exploitation could allow an attacker to bypass the upload request parts limit, potentially causing a denial of service (DoS) by consuming excessive resources. The vulnerability does not lead to data confidentiality or integrity loss.

Mitigation

Users should upgrade to fixed versions: Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74, or 8.5.88 or later. No workarounds are available. Older branches (8.0.x, 8.5.x, 10.0.x) are end-of-life and should be upgraded to supported versions [1][2][3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 11.0.0-M2, < 11.0.0-M5	11.0.0-M5
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 10.1.5, < 10.1.8	10.1.8
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 9.0.71, < 9.0.74	9.0.74
org.apache.tomcat:tomcat-coyoteMaven	>= 8.5.85, < 8.5.88	8.5.88

Affected products

osv-coords41 versions
pkg:apk/chainguard/tomcat-8.5.87-jamf-compat pkg:bitnami/tomcat pkg:maven/org.apache.tomcat.embed/tomcat-embed-core pkg:maven/org.apache.tomcat/tomcat-coyote pkg:rpm/almalinux/tomcat pkg:rpm/almalinux/tomcat-admin-webapps pkg:rpm/almalinux/tomcat-docs-webapp pkg:rpm/almalinux/tomcat-el-3.0-api pkg:rpm/almalinux/tomcat-jsp-2.3-api pkg:rpm/almalinux/tomcat-lib pkg:rpm/almalinux/tomcat-servlet-4.0-api pkg:rpm/almalinux/tomcat-webapps pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweed pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP4 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5 pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.2 pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.5.87-r3+ 40 more
- (no CPE)range: < 8.5.87-r3
- (no CPE)range: >= 8.5.85, <= 8.5.87
- (no CPE)range: >= 11.0.0-M2, < 11.0.0-M5
- (no CPE)range: >= 8.5.85, < 8.5.88
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 1:9.0.62-37.el9_3
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-1.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.36-150100.4.93.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 8.0.53-29.66.1
- (no CPE)range: < 9.0.36-3.105.1
- (no CPE)range: < 9.0.36-3.105.1
- (no CPE)range: < 9.0.36-3.105.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-150100.4.93.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.36-3.105.1
- (no CPE)range: < 9.0.36-3.105.1
- (no CPE)range: < 9.0.36-150100.4.93.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.75-150200.41.1
- (no CPE)range: < 9.0.36-3.105.1
- (no CPE)range: < 9.0.36-3.105.1
Apache Software Foundation/Apache Tomcatv5
Range: 11.0.0-M2

Patches

5badf94e79e5

Fix parameter counting logic

https://github.com/apache/tomcatMark ThomasApr 11, 2023via ghsa

commit

1 file changed · +2 −2

java/org/apache/tomcat/util/http/Parameters.java+2 −2 modified

@@ -233,13 +233,13 @@ public void addParameter(String key, String value) throws IllegalStateException
             return;
         }
 
-        parameterCount++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString("parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount++;
 
         ArrayList<String> values = paramHashValues.get(key);
         if (values == null) {

d53d8e7f7704

Fix parameter counting logic

https://github.com/apache/tomcatMark ThomasApr 11, 2023via ghsa

commit

1 file changed · +2 −2

java/org/apache/tomcat/util/http/Parameters.java+2 −2 modified

@@ -201,13 +201,13 @@ public void addParameter(String key, String value) throws IllegalStateException
             return;
         }
 
-        parameterCount++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString("parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount++;
 
         paramHashValues.computeIfAbsent(key, k -> new ArrayList<>(1)).add(value);
     }

ba848da71c52

Fix parameter counting logic

https://github.com/apache/tomcatMark ThomasApr 11, 2023via ghsa

commit

1 file changed · +2 −2

java/org/apache/tomcat/util/http/Parameters.java+2 −2 modified

@@ -201,13 +201,13 @@ public void addParameter(String key, String value) throws IllegalStateException
             return;
         }
 
-        parameterCount++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString("parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount++;
 
         paramHashValues.computeIfAbsent(key, k -> new ArrayList<>(1)).add(value);
     }

fbd81421629a

Fix parameter counting logic

https://github.com/apache/tomcatMark ThomasApr 11, 2023via ghsa

commit

1 file changed · +2 −2

java/org/apache/tomcat/util/http/Parameters.java+2 −2 modified

@@ -201,13 +201,13 @@ public void addParameter(String key, String value) throws IllegalStateException
             return;
         }
 
-        parameterCount++;
-        if (limit > -1 && parameterCount > limit) {
+        if (limit > -1 && parameterCount >= limit) {
             // Processing this parameter will push us over the limit. ISE is
             // what Request.parseParts() uses for requests that are too big
             setParseFailedReason(FailReason.TOO_MANY_PARAMETERS);
             throw new IllegalStateException(sm.getString("parameters.maxCountFail", Integer.valueOf(limit)));
         }
+        parameterCount++;
 
         paramHashValues.computeIfAbsent(key, k -> new ArrayList<>(1)).add(value);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cx6h-86xw-9x34ghsaADVISORY
lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3jghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-28709ghsaADVISORY
www.openwall.com/lists/oss-security/2023/05/22/1ghsaWEB
github.com/apache/tomcat/commit/5badf94e79e5de206fc0ef3054fd536b1bb787cdghsaWEB
github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dcghsaWEB
github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38ghsaWEB
github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861ghsaWEB
security.gentoo.org/glsa/202305-37ghsaWEB
security.netapp.com/advisory/ntap-20230616-0004ghsaWEB
tomcat.apache.org/security-10.htmlghsaWEB
tomcat.apache.org/security-11.htmlghsaWEB
tomcat.apache.org/security-8.htmlghsaWEB
tomcat.apache.org/security-9.htmlghsaWEB
www.debian.org/security/2023/dsa-5521ghsaWEB
security.netapp.com/advisory/ntap-20230616-0004/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000