VYPR
High severityNVD Advisory· Published May 22, 2023· Updated Feb 13, 2025

Apache Tomcat: Fix for CVE-2023-24998 is incomplete

CVE-2023-28709

Description

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M2, < 11.0.0-M511.0.0-M5
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.5, < 10.1.810.1.8
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.71, < 9.0.749.0.74
org.apache.tomcat:tomcat-coyoteMaven
>= 8.5.85, < 8.5.888.5.88

Affected products

42

Patches

Vulnerability mechanics

References

16

News mentions

0

No linked articles in our index yet.